This space is archived
For current information please use the current ExamSys documentation
Security Principles
Variable Checking
Where possible scripts should as quickly as possible check for any needed variables and exit if these are missing. The advantage of exiting if they are missing is to minimise PHP warnings and fatal errors.
New code must use one of these methods to to access all variables passed to a page.
The param class contains 4 methods that can be used to check and clean variables passed to a page:
param::clean()
param::clean($value, $type)
Parameter | Type | Explanation |
---|---|---|
$value | mixed | The value that should be cleaned |
$type | int | The type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT |
The cleaned value will be returned, or null if it does not match the type passed.
param::clean_array()
param::clean_array($value, $type, $required)
Parameter | Type | Explanation |
---|---|---|
$value | array | The array that should be cleaned |
$type | int | The type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT |
$required | boolean | Default: false. If true and a parameter in the array is not of the required type an exception will be thrown. |
Returns an array containing only values of the appropriate type, if required is true a MissingParameter exception will be thrown if any value of the array is not of the required type.
param::required()
param::required($name, $type, $from)
Parameter | Type | Explanation |
---|---|---|
$name | string | The name of the parameter to be retrieved |
$type | int | The type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT |
$from | string | Default: param::FETCH_REQUEST. Should be one of: param::FETCH_GET, param::FETCH_POST or param::FETCH_REQUEST |
Returns the value of the parameter if it is set, throws a MissingParameter exception if the value is either not set, or invalid for the type.
param::optional()
param::optional($name, $default, $type, $from)
Parameter | Type | Explanation |
---|---|---|
$name | string | The name of the parameter to be retrieved |
$default | mixed | The value that should be returned if the parameter is not set, or not of the correct type. |
$type | int | The type that $value should be cleaned as. It should be passed as one of the para |