/
Security Principles

Security Principles

Variable Checking

Where possible scripts should as quickly as possible check for any needed variables and exit if these are missing. The advantage of exiting if they are missing is to minimise PHP warnings and fatal errors.

New code must use one of these methods to to access all variables passed to a page.

The param class contains 4 methods that can be used to check and clean variables passed to a page:

param::clean()

param::clean($value, $type)

ParameterTypeExplanation
$valuemixedThe value that should be cleaned
$typeintThe type that $value should be cleaned as. It should be passed as one of the param class constants, i.e. param::FLOAT

The cleaned value will be returned, or null if it does not match the type passed.

Examples
$val1 = 'Test1 String';
echo param::clean($val1, param::ALPHA); // 'Test String'
echo param::clean($val1, param::ALPHANUM); // 'Test1 String'
echo param::clean($val1, param::INT); // null


$val2 = '2';
echo param::clean($val2, param::ALPHANUM); // '2'
echo param::clean($val2, param::INT); // 2
echo param::clean($val2, param::FLOAT); // 2


$val3 = '2.1';
echo param::clean($val3, param::ALPHANUM); // '2.1'
echo param::clean($val3, param::INT); // null
echo param::clean($val3, param::FLOAT); // 2.1

param::clean_array()

param::clean_array($value, $type, $required)

ParameterTypeExplanation
$valuearrayThe array that should be cleaned
$typeintThe type that