/
Security Principles

This space is archived

For current information please use the current ExamSys documentation

Security Principles

Variable Checking

Where possible scripts should as quickly as possible check for any needed variables and exit if these are missing. The advantage of exiting if they are missing is to minimise PHP warnings and fatal errors.

New code must use one of these methods to to access all variables passed to a page.

The param class contains 4 methods that can be used to check and clean variables passed to a page:

param::clean()

param::clean($value, $type)

ParameterTypeExplanation
$valuemixedThe value that should be cleaned
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT

The cleaned value will be returned, or null if it does not match the type passed.

Examples
$val1 = 'Test1 String';
echo param::clean($val1, param::ALPHA); // 'Test String'
echo param::clean($val1, param::ALPHANUM); // 'Test1 String'
echo param::clean($val1, param::INT); // null


$val2 = '2';
echo param::clean($val2, param::ALPHANUM); // '2'
echo param::clean($val2, param::INT); // 2
echo param::clean($val2, param::FLOAT); // 2


$val3 = '2.1';
echo param::clean($val3, param::ALPHANUM); // '2.1'
echo param::clean($val3, param::INT); // null
echo param::clean($val3, param::FLOAT); // 2.1

param::clean_array()

param::clean_array($value, $type, $required)

ParameterTypeExplanation
$valuearrayThe array that should be cleaned
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT
$requiredbooleanDefault: false. If true and a parameter in the array is not of the required type an exception will be thrown.

Returns an array containing only values of the appropriate type, if required is true a MissingParameter exception will be thrown if any value of the array is not of the required type.

Examples
$array = array(
  '3',
  '4.2',
  array(
    '769',
  ),
);


$clean = param::clean_array($array, param::INT); // Returns: array('3', null, array('769'))
$clean = param::clean_array($array, param::INT, true); // Throws a MissingParameter exception.

param::required()

param::required($name, $type, $from)

ParameterTypeExplanation
$namestringThe name of the parameter to be retrieved
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT
$fromstringDefault: param::FETCH_REQUEST. Should be one of: param::FETCH_GET, param::FETCH_POST or param::FETCH_REQUEST

Returns the value of the parameter if it is set, throws a MissingParameter exception if the value is either not set, or invalid for the type.

Examples
try {
  $id = param::required('id', param::INT); // Look for the id parameter in both _GET and _POST
  $paperid = param::required('paperID', param::INT, param::FETCH_GET); // Look for paperID in _GET
  $moduleid = param::required('module', param::INT, param::FETCH_POST); // Look for module in _POST
} catch (MissingParameter $e) {
  // Do something when the parameter is not present.
}

param::optional()

param::optional($name, $default, $type, $from)

ParameterTypeExplanation
$namestringThe name of the parameter to be retrieved
$defaultmixedThe value that should be returned if the parameter is not set, or not of the correct type.
$typeintThe type that $value should be cleaned as. It should be passed as one of the para