<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://docs.sandbox.joomla.org/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Globulopolis</id>
	<title>Joomla! Documentation - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://docs.sandbox.joomla.org/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=Globulopolis"/>
	<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/Special:Contributions/Globulopolis"/>
	<updated>2026-07-09T18:45:23Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.43.0</generator>
	<entry>
		<id>https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=323347</id>
		<title>Secure coding guidelines</title>
		<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=323347"/>
		<updated>2016-08-10T18:00:28Z</updated>

		<summary type="html">&lt;p&gt;Globulopolis: Add info about json&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Joomla includes many features that help with the task of securing applications and extensions built on it.  You should always use these features if at all possible as they have been tried and tested by the many eyes of the developer community and any updates that might conceivably be required in the future will be automatically available whenever a Joomla update is applied.  What follows is a description of best practice in using the Joomla API to ensure that your extensions are as secure as possible.&lt;br /&gt;
&lt;br /&gt;
==Getting data from the request==&lt;br /&gt;
{{JVer|3.x}} Starting with Joomla version 3.0, [[Retrieving_request_data_using_JInput|JInput]] should be used instead of [[JRequest]].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
All input originating from a user must be considered potentially dangerous and must be cleaned before being used.  You should always use the Joomla [[Retrieving_request_data_using_JInput|JInput]] class to retrieve data from the request, rather than the raw $_GET, $_POST or $_REQUEST variables as the [[Retrieving_request_data_using_JInput|JInput]] methods apply input filtering by default. JInput deals with all aspects of the user request in a way that is independent of the request method used.  It can also be used to retrieve cookie data and even server and environment variables. However, it is important to use the correct [[Retrieving_request_data_using_JInput|JInput]] method to ensure maximum security.  It is very easy to just use the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method with default parameters and ignore the fact that in many cases it is possible to apply a more stringent requirement on user input.&lt;br /&gt;
&lt;br /&gt;
It very important to understand that the [[Retrieving_request_data_using_JInput|JInput]] methods are not SQL-aware and further work is required to guard against SQL injection attacks.There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]]. If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
&lt;br /&gt;
Using [[Retrieving_request_data_using_JInput|JInput]] also obviates the need to pay attention to the setting of magic_quotes_gpc. [[Retrieving_request_data_using_JInput|JInput]] does the right thing, regardless of whether magic_quotes_gpc is on or off.  See http://php.net/manual/en/security.magicquotes.php for further information.&lt;br /&gt;
&lt;br /&gt;
When considering user input you should think about the data type you are expecting to retrieve and apply the most stringent form of [[Retrieving_request_data_using_JInput#Getting_Values|JInput]] that is applicable in each case.  In particular, avoid the lazy approach of using [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] as this will return an array that may contain entries that you did not expect and although each of those entries will have been cleaned, it is often the case that additional filtering could have been applied to some individual arguments.  For example, the get method treats all arguments as strings, whereas it may be possible to restrict some arguments to be integers.&lt;br /&gt;
&lt;br /&gt;
The first three parameters of each of the JInput get methods are the same.  Only the first parameter is mandatory.  In general, the format is&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
    JFactory::getApplication-&amp;gt;input-&amp;gt;&amp;lt;data-source&amp;gt;-&amp;gt;get&amp;lt;type&amp;gt;( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt; )&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;type&amp;gt; || the data type to be retrieved (see below for the types available).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;amp;lt;data-source&amp;amp;gt; || specifies where the variable is to be retrieved from (see below).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The following values for &amp;amp;lt;data-source&amp;amp;gt; are supported:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| get || Data submitted in the query part of the URL.&lt;br /&gt;
|-&lt;br /&gt;
| post || Data submitted from form fields.&lt;br /&gt;
|-&lt;br /&gt;
| method || The same as either GET or POST depending on how the request was made.&lt;br /&gt;
|-&lt;br /&gt;
| cookie || Data submitted in cookies.&lt;br /&gt;
|-&lt;br /&gt;
| request || All the GET, POST and COOKIE data combined.  This is the default.&lt;br /&gt;
|-&lt;br /&gt;
| files || Information about files uploaded as part of a POST request.&lt;br /&gt;
|-&lt;br /&gt;
| env || Environment variables (platform-specific).&lt;br /&gt;
|-&lt;br /&gt;
| server || Web server variables (platform-specific).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Notice that the default is REQUEST, which includes cookie data.&lt;br /&gt;
&lt;br /&gt;
The following sections look at each of the data types in more detail.&lt;br /&gt;
&lt;br /&gt;
===Integer===&lt;br /&gt;
The following will accept an integer.  An integer can include a leading minus sign, but a plus sign is not permitted.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;getInt( &#039;id&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;id&amp;quot; argument from the request (which by default includes all GET, POST and COOKIE data).  The default value is zero.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getInt( &#039;myId&#039;, 12 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;myId&amp;quot; variable from a cookie, with a default value of 12.&lt;br /&gt;
&lt;br /&gt;
===Floating point number===&lt;br /&gt;
A floating point number can include a leading minus sign, but not a plus sign.  If the number includes a decimal point, then there must be at least one digit before the decimal point.  For example,&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;getFloat( &#039;price&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &#039;price&#039; argument from the request.  The default is &amp;quot;0.0&amp;quot;.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getFloat( &#039;total&#039;, 100.00 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;total&#039; argument from a POST request (but not a GET), with a default value of 100.00.&lt;br /&gt;
&lt;br /&gt;
===Boolean value===&lt;br /&gt;
Any non-zero value is regarded as being true; zero is false.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;getBool( &#039;show&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return false if the value of the &#039;show&#039; argument in the request is zero, or 1 (true) if the argument is anything else.  The default is false.  Note that any string argument will result in a return value of true, so calling the above with a URL containing &amp;quot;?show=false&amp;quot; will actually return true!&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;get-&amp;gt;getBool( &#039;hide&#039;, true );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;hide&#039; argument from a GET request (but not a POST), with a default value of true.&lt;br /&gt;
&lt;br /&gt;
===Word===&lt;br /&gt;
A word is defined as being a string of alphabetic characters.  The underscore character is permitted as part of a word.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;search-word&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;search-word&#039; argument from the request.  The default is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;keyword&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;keyword&#039; variable from a cookie, with the default being an empty string.&lt;br /&gt;
&lt;br /&gt;
===Command===&lt;br /&gt;
A command is like a word but a wider range of characters is permitted.  Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;getCmd( &#039;option&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;option&amp;quot; argument from the request.  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getCmd( &#039;controller&#039;, &#039;view&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;controller&amp;quot; argument from a POST request (but not a GET), with a default value of &#039;view&#039;.&lt;br /&gt;
&lt;br /&gt;
===String===&lt;br /&gt;
The string type allows a much wider range of input characters.  It also takes an optional fourth argument specifying some additional mask options.  See [[#Filter options]] for information on the available masks.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;description&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;description&amp;quot; argument from the request.  The default value is an empty string.  The input will have whitespace removed from the left and right ends and any HTML tags will be removed.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;text&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;text&amp;quot; argument from the request..  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;template&#039;, &#039;&amp;lt;html /&amp;gt;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;template&amp;quot; argument from the request.  The default value is &#039;&amp;lt;html /&amp;gt;&#039;.&lt;br /&gt;
&lt;br /&gt;
===JSON String===&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$json = JFactory::getApplication-&amp;gt;input-&amp;gt;json-&amp;gt;get( &#039;var_name&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Generic and other data types===&lt;br /&gt;
If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method directly.  The syntax is:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JFactory::getApplication-&amp;gt;input-&amp;gt;get( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.  There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]].   If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || specifies the data type expected (see below).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The first three arguments are the same as for the more specific methods described earlier.  Only the first argument is mandatory.&lt;br /&gt;
&lt;br /&gt;
Allowed values of the &amp;lt;type&amp;gt;, which is case-insensitive, are as follows:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| INT, INTEGER || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
|-&lt;br /&gt;
| UINT || Get an unsigned integer. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getUint]].&lt;br /&gt;
|-&lt;br /&gt;
| FLOAT, DOUBLE || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getFloat]].&lt;br /&gt;
|-&lt;br /&gt;
| BOOL, BOOLEAN || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getBool]].&lt;br /&gt;
|-&lt;br /&gt;
| WORD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getWord]].&lt;br /&gt;
|-&lt;br /&gt;
| ALNUM || Allow only alphanumeric characters (a-z, A-Z, 0-9). Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getAlnum]].&lt;br /&gt;
|-&lt;br /&gt;
| CMD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getCmd]].&lt;br /&gt;
|-&lt;br /&gt;
| BASE64 || Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =). Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getBase64]].&lt;br /&gt;
|-&lt;br /&gt;
| STRING || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getString]].&lt;br /&gt;
|-&lt;br /&gt;
| ARRAY || Source is not filtered but is cast to array type.&lt;br /&gt;
|-&lt;br /&gt;
| HTML || A sanitised string. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getHtml]].&lt;br /&gt;
|-&lt;br /&gt;
| PATH || Valid pathname regex that filters out common attacks.  For example, any path beginning with a &amp;quot;/&amp;quot; will return an empty string.  Simliarly, any path containing &amp;quot;/./&amp;quot; or &amp;quot;/../&amp;quot; will return an empty string.  Dots within filenames are okay though. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getPath]].&lt;br /&gt;
|-&lt;br /&gt;
| USERNAME || Removes control characters (0x00 - 0x1F), 0x7F, &amp;lt;, &amp;gt;, &amp;quot;, &#039;, % and &amp;amp;. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getUsername]].&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===Filter options===&lt;br /&gt;
All input values can be filtered using JFilterInput-&amp;gt;clean.&lt;br /&gt;
&lt;br /&gt;
Filter an array of values.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$data = JFactory::getApplication()-&amp;gt;input-&amp;gt;post-&amp;gt;get(&#039;data&#039;, array(), &#039;array&#039;);&lt;br /&gt;
$filter = JFilterInput::getInstance();&lt;br /&gt;
&lt;br /&gt;
foreach ($data as $value)&lt;br /&gt;
{&lt;br /&gt;
	$array[] = $filter-&amp;gt;clean($value, &#039;string&#039;);&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
For more filter types see [https://github.com/joomla/joomla-cms/blob/master/libraries/joomla/filter/input.php#L115 JFilterInput source].&lt;br /&gt;
&lt;br /&gt;
Options listed bellow available only in deprecated [[JRequest]] library.&lt;br /&gt;
Allowed values of &amp;lt;options&amp;gt; are as follows (none of these are applied by default):&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| JREQUEST_NOTRIM || Does not remove whitespace from the start and ends of strings.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWRAW || Does not do any filtering at all.  Use with extreme caution.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWHTML || Does not remove HTML from string inputs.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Masks can be combined by logically OR&#039;ing them.  If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.&lt;br /&gt;
&lt;br /&gt;
===File uploads===&lt;br /&gt;
Web servers already have a good deal of security around handling file uploads, but it is still necessary to take additional steps to ensure that file names and paths cannot be abused.  A simplified form which requests a file to be uploaded looks like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;form action=&amp;quot;index.php?option=com_mycomponent/form_handler.php&amp;quot;  method=&amp;quot;post&amp;quot; enctype=&amp;quot;multipart/form-data&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;input type=&amp;quot;file&amp;quot; name=&amp;quot;Filedata&amp;quot; /&amp;gt;&lt;br /&gt;
    &amp;lt;input type=&amp;quot;submit&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/form&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
On clicking the submit button, the browser will upload the file in a POST request, passing control to Joomla which will call &amp;quot;components/com_mycomponent/form_handler.php&amp;quot;.  This will include code like the following.  The variable $somepath must be set to some path where the web server has permission to create files.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Check to ensure this file is included in Joomla!&lt;br /&gt;
defined(&#039;_JEXEC&#039;) or die( &#039;Restricted access&#039; );&lt;br /&gt;
&lt;br /&gt;
// Get the file data array from the request.&lt;br /&gt;
$file = JFactory::getApplication-&amp;gt;input-&amp;gt;get( &#039;Filedata&#039;, &#039;&#039;, &#039;files&#039;, &#039;array&#039; );&lt;br /&gt;
&lt;br /&gt;
// Make the file name safe.&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$file[&#039;name&#039;] = JFile::makeSafe($file[&#039;name&#039;]);&lt;br /&gt;
&lt;br /&gt;
// Move the uploaded file into a permanent location.&lt;br /&gt;
if (isset( $file[&#039;name&#039;] )) {&lt;br /&gt;
&lt;br /&gt;
    // Make sure that the full file path is safe.&lt;br /&gt;
    $filepath = JPath::clean( $somepath.&#039;/&#039;.strtolower( $file[&#039;name&#039;] ) );&lt;br /&gt;
&lt;br /&gt;
    // Move the uploaded file.&lt;br /&gt;
    JFile::upload( $file[&#039;tmp_name&#039;], $filepath );&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Saving a request variable into user state===&lt;br /&gt;
Because setting a user state variable from a variable in the request is such a common operation, there is an API method to make the task easier.  This is generally safe to use because it calls [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] to obtain the input from the request, but remember that none of the input filtering calls will protect against SQL injection attempts.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &amp;lt;key&amp;gt;, &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;key&amp;gt; || the name of the variable in the user state.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the request variable (same as the first argument of a [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] call).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value to be assigned to the user state variable if the request variable is absent.  The default is null.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || the type of variable expected.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
For example, getting an integer variable called &#039;id&#039; from the request with a default value of 0, then saving it into a session variable called &#039;myid&#039; can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &#039;myid&#039;, &#039;id, 0, &#039;int&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
instead of something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;setUserState( &#039;myid&#039;, $app-&amp;gt;input-&amp;gt;getInt( &#039;id&#039;, 0 ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Constructing SQL queries==&lt;br /&gt;
One of the most common forms of attack on web applications is SQL injection, where the aim of the attacker is to change a database query by exploiting a poorly filtered input variable.  Injecting modified SQL statements into the database can damage data or reveal private information.  It is important to ensure that when SQL statements are constructed, they are correctly escaped and quoted so that bad input data cannot result in a bad SQL statement. You cannot rely on the [[Retrieving_request_data_using_JInput|JInput]] methods to do this as they are not SQL-aware.&lt;br /&gt;
&lt;br /&gt;
===Secure integers and the rest of numeric values===&lt;br /&gt;
With the MySQL database, numeric fields should not be quoted, so it is important that they be typecast instead.  Failure to do this will leave your code vulnerable to an attacker inserting a string containing SQL data.&lt;br /&gt;
&lt;br /&gt;
Depending on the type, numeric types are cast like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// For SQL data types: INT, INTEGER, TINYINT, SMALLINT, MEDIUMINT, BIGINT, YEAR&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (int) $id;&lt;br /&gt;
&lt;br /&gt;
// For SQL data types: FLOAT, DOUBLE&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (float) $id;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
It&#039;s a good idea to get into the habit of always typecasting integers like this even if the variable was previously obtained using [[Further information on SQL injection attacks can be found here: http://php.net/manual/en/security.database.sql-injection.php and here: [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
&lt;br /&gt;
===Secure strings===&lt;br /&gt;
In the examples that follow it is assumed that $db is an instance of a Joomla database object.  This can always be obtained from [[JFactory]] using&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$db = JFactory::getDBO();&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Strings should always be escaped before being used in an SQL statement.  This is actually very simple as the [[JDatabase/quote|JDatabase-&amp;gt;quote]] method escapes everything for you.  You can also use the [[JDatabase/escape|JDatabase-&amp;gt;escape]] method directly.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $db-&amp;gt;escape( $field ), false );&lt;br /&gt;
&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $field );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
===Secure on search===&lt;br /&gt;
Special attention should be paid to LIKE clauses which contain the % wildcard character as these require special escaping in order to avoid possible denial of service attacks.  LIKE clauses can be handled like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Construct the search term by escaping the user-supplied string and, if required, adding the % wildcard characters manually.&lt;br /&gt;
$search = &#039;%&#039; . $db-&amp;gt;escape( $search, true ) . &#039;%&#039; );&lt;br /&gt;
&lt;br /&gt;
// Construct the SQL query, being careful to suppress the default behaviour of Quote so as to prevent double-escaping.&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` LIKE &#039; . $db-&amp;gt;quote( $search, false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure dates===&lt;br /&gt;
If data is to be entered into a datetime column then you can use the Joomla API to ensure a valid date format:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$date = JFactory::getDate( $mydate );&lt;br /&gt;
$query = &#039;UPDATE #__table SET `date` = &#039; . $db-&amp;gt;quote( $date-&amp;gt;toMySQL(), false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Note that it is necessary to suppress database escaping as legitimate dates may contain characters that should not be escaped.&lt;br /&gt;
&lt;br /&gt;
===Secure field names===&lt;br /&gt;
In the comparatively rare case where a field name is a variable, that should also be quoted using an API call:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure arrays of integers===&lt;br /&gt;
When you have an array of ids, typically used for IN() queries, you have to sanitise it also with JArrayHelper::toInteger($cid); before imploding: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
JArrayHelper::toInteger($catId);&lt;br /&gt;
$query-&amp;gt;where($db-&amp;gt;quoteName(&#039;x.category_id&#039;) . &#039; IN (&#039; . implode(&#039;,&#039;, $catId) . &#039;)&#039;);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Short aliases of Quote and QuoteName===&lt;br /&gt;
Shorter alternatives to the quote methods may also be used.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;qn( $field-name ) . &#039;=&#039; . $db-&amp;gt;q( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Securing forms==&lt;br /&gt;
Apart from cleaning input variables as described above, you can also implement a simple technique which makes it more difficult for a cross-site request forgery attack (CSRF) to succeed. This involves adding a randomly-generated unique token to the form which is checked against a copy of the token held in the user&#039;s session.  By checking that the submitted token matches the one contained in the stored session, it is possible to tie a rendered form to the request variables presented.&lt;br /&gt;
&lt;br /&gt;
In POST forms you should add a hidden token field using:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JHTML::_( &#039;form.token&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This outputs the token as a hidden form field looking like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;8cb24ae69ffd7828ccecbcf06056e6fc&amp;quot; value=&amp;quot;1&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
and places a copy of the token into the user&#039;s session, for later checking.&lt;br /&gt;
&lt;br /&gt;
If you need to add the token to a URL rather than a form then you can use something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JRoute::_( &#039;index.php?option=com_mycomponent&amp;amp;&#039; . JSession::getFormToken() . &#039;=1&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the most common scenario, you will want to check the token following a POST to the form handler.  This can be done by adding this line of code to form handler:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken() or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
If you need to pass the token in a GET request then you can check it like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken( &#039;get&#039; ) or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In both cases the code will die if the token is omitted from the request, or the submitted token does not match the session token.  If the token is correct but has expired, then [[JSession/checkToken|JSession::checkToken]] will automatically redirect to the site front page.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem paths==&lt;br /&gt;
If there is any possibility that a filesystem path might be constructed using data that originated from user input, then the path must be cleaned and checked before being used.  This can be done quite simply like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JPath::check( $path );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This will raise an error and terminate Joomla if the path contains a &amp;quot;..&amp;quot; or leads to a location outside the Joomla root directory.  If you want to deal with the error yourself without terminating the application, then you can use code like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$path = JPath::clean( $path );&lt;br /&gt;
if (strpos( $path, JPath::clean( JPATH_ROOT ) ) !== 0) {&lt;br /&gt;
    // Handle the error here.&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
The [[JPath:clean]] method can be used in your own code too.  It merely removes leading and trailing whitespace and replace double slashes and backslashes with the standard directory separator.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem file names==&lt;br /&gt;
As with filesystem paths, if there is any possibility that a file name might be constructed using user-originated data, then the file name must be cleaned and checked before use.  This can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$clean = JFile::makeSafe( $unclean );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This method removes sequences of two or more &amp;quot;.&amp;quot; characters and any character that is not alphabetic, numeric or a dot, dash or underscore character.  If there is a leading dot then that is removed too.&lt;br /&gt;
[[Category:Development]][[Category:Security]]&lt;/div&gt;</summary>
		<author><name>Globulopolis</name></author>
	</entry>
	<entry>
		<id>https://docs.sandbox.joomla.org/index.php?title=Retrieving_request_data_using_JInput&amp;diff=323346</id>
		<title>Retrieving request data using JInput</title>
		<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/index.php?title=Retrieving_request_data_using_JInput&amp;diff=323346"/>
		<updated>2016-08-10T17:50:33Z</updated>

		<summary type="html">&lt;p&gt;Globulopolis: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{version|2.5,3.x|platform=11.1,12.1}}&lt;br /&gt;
==Requirements==&lt;br /&gt;
To be able to use JInput as described here, you must be using Joomla 2.5.0 or above.&lt;br /&gt;
&lt;br /&gt;
Please note there are known issues with JInput and Magic Quotes (Deprecated in PHP 5.3.0 and removed in PHP 5.4.0). Most servers have these turned off - however it is important to bear this in mind whilst developing a component. For this reason all core components in Joomla 2.5.x still use JRequest. As of Joomla 3.0+ magic quotes is required to be disabled and thus this is no longer an issue.&lt;br /&gt;
&lt;br /&gt;
==Using JInput==&lt;br /&gt;
To use JInput you must first create the object by using this code:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$jinput = JFactory::getApplication()-&amp;gt;input;&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Getting Values===&lt;br /&gt;
To get a value from JInput, you can use:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$foo = $jinput-&amp;gt;get(&#039;varname&#039;, &#039;default_value&#039;, &#039;filter&#039;);&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The filter defaults to &amp;lt;code&amp;gt;cmd&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
{{notice|The code fragments in the following list show the &#039;&#039;implementation&#039;&#039; of the filters (assuming the value you want to retrieve is stored in &amp;lt;code&amp;gt;$source&amp;lt;/code&amp;gt;). You do not need them to &#039;&#039;use&#039;&#039; JInput; all you need for using JInput is the code shown above.}}&lt;br /&gt;
&lt;br /&gt;
Available filters are:&lt;br /&gt;
&lt;br /&gt;
*INT&lt;br /&gt;
*INTEGER&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Only use the first integer value&lt;br /&gt;
preg_match(&#039;/-?[0-9]+/&#039;, (string) $source, $matches);&lt;br /&gt;
$result = @ (int) $matches[0];&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*UINT&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Only use the first integer value&lt;br /&gt;
preg_match(&#039;/-?[0-9]+/&#039;, (string) $source, $matches);&lt;br /&gt;
$result = @ abs((int) $matches[0]);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*FLOAT&lt;br /&gt;
*DOUBLE&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Only use the first floating point value&lt;br /&gt;
preg_match(&#039;/-?[0-9]+(\.[0-9]+)?/&#039;, (string) $source, $matches);&lt;br /&gt;
$result = @ (float) $matches[0];&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*BOOL&lt;br /&gt;
*BOOLEAN&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$result = (bool) $source;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*WORD&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Only allow characters a-z, and underscores&lt;br /&gt;
$result = (string) preg_replace(&#039;/[^A-Z_]/i&#039;, &#039;&#039;, $source);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*ALNUM&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Allow a-z and 0-9 only&lt;br /&gt;
$result = (string) preg_replace(&#039;/[^A-Z0-9]/i&#039;, &#039;&#039;, $source);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*CMD&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Allow a-z, 0-9, underscore, dot, dash. Also remove leading dots from result. &lt;br /&gt;
$result = (string) preg_replace(&#039;/[^A-Z0-9_\.-]/i&#039;, &#039;&#039;, $source);&lt;br /&gt;
$result = ltrim($result, &#039;.&#039;);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*BASE64&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Allow a-z, 0-9, slash, plus, equals.&lt;br /&gt;
$result = (string) preg_replace(&#039;/[^A-Z0-9\/+=]/i&#039;, &#039;&#039;, $source);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*STRING&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Converts the input to a plain text string; strips all tags / attributes.&lt;br /&gt;
$result = (string) $this-&amp;gt;_remove($this-&amp;gt;_decode((string) $source));&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*HTML&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Converts the input to a string; strips all HTML tags / attributes.&lt;br /&gt;
$result = (string) $this-&amp;gt;_remove($this-&amp;gt;_decode((string) $source));&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*ARRAY&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Attempts to convert the input to an array.&lt;br /&gt;
$result = (array) $source;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*PATH&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Converts the input into a string and validates it as a path. (e.g. path/to/file.png or path/to/dir)&lt;br /&gt;
// Note: Does NOT accept absolute paths, or paths ending in a trailing slash.&lt;br /&gt;
// For a visual representation of the pattern matching used, see http://www.regexper.com/#^[A-Za-z0-9_-]%2B[A-Za-z0-9_\.-]*%28[\\\\\%2F][A-Za-z0-9_-]%2B[A-Za-z0-9_\.-]*%29*%24&lt;br /&gt;
// Will return null if the input was invalid.&lt;br /&gt;
$pattern = &#039;/^[A-Za-z0-9_-]+[A-Za-z0-9_\.-]*([\\\\\/][A-Za-z0-9_-]+[A-Za-z0-9_\.-]*)*$/&#039;;&lt;br /&gt;
preg_match($pattern, (string) $source, $matches);&lt;br /&gt;
$result = @ (string) $matches[0];&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*RAW&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// The raw input. No sanitation provided.&lt;br /&gt;
$result = $source;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
*USERNAME&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Strips all invalid username characters.&lt;br /&gt;
$result = (string) preg_replace(&#039;/[\x00-\x1F\x7F&amp;lt;&amp;gt;&amp;quot;\&#039;%&amp;amp;]/&#039;, &#039;&#039;, $source)&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Alternatively instead of adding the filter you can use the JInput type specific methods:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Instead of:&lt;br /&gt;
$input-&amp;gt;get(&#039;name&#039;, &#039;&#039;, &#039;STR&#039;);&lt;br /&gt;
// you can use:&lt;br /&gt;
$input-&amp;gt;getString(&#039;name&#039;, &#039;&#039;);&lt;br /&gt;
&lt;br /&gt;
// Instead of:&lt;br /&gt;
$input-&amp;gt;get(&#039;memberId&#039;, 0, &#039;INT&#039;);&lt;br /&gt;
// you can use:&lt;br /&gt;
$input-&amp;gt;getInt(&#039;memberId&#039;, 0);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
To retrieve an object, you can use:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$foo = $jinput-&amp;gt;get(&#039;varname&#039;, null, null);&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Getting Multiple Values===&lt;br /&gt;
&lt;br /&gt;
To retrieve a number of values you can use the &amp;lt;code&amp;gt;getArray()&amp;lt;/code&amp;gt; method:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$fooValues = $jinput-&amp;gt;getArray(array(&#039;var1&#039; =&amp;gt; &#039;&#039;, &#039;var2&#039; =&amp;gt; &#039;&#039;, &#039;var3&#039; =&amp;gt; &#039;&#039;));&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
or, if you want to determine the data to get step by step:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$fooArray = array();&lt;br /&gt;
$fooArray[&#039;var1&#039;] = &#039;&#039;;&lt;br /&gt;
$fooArray[&#039;var2&#039;] = &#039;&#039;;&lt;br /&gt;
$fooArray[&#039;var3&#039;] = &#039;&#039;;&lt;br /&gt;
$fooValues = $jinput-&amp;gt;getArray($fooArray);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The &amp;lt;code&amp;gt;$fooValues&amp;lt;/code&amp;gt; will be an array that consists of the same keys as used in &amp;lt;code&amp;gt;$fooArray&amp;lt;/code&amp;gt;, but with values attached.&lt;br /&gt;
&lt;br /&gt;
You can also specify different filters for each of the inputs:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;gt;&lt;br /&gt;
$fooValues = $jinput-&amp;gt;getArray(array(&lt;br /&gt;
    &#039;var1&#039; =&amp;gt; &#039;int&#039;,&lt;br /&gt;
    &#039;var2&#039; =&amp;gt; &#039;float&#039;,&lt;br /&gt;
    &#039;var3&#039; =&amp;gt; &#039;word&#039;&lt;br /&gt;
));&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
You can also nest arrays to get more complicated hierarchies of values:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$fooValues = $jinput-&amp;gt;getArray(array(&lt;br /&gt;
    &#039;jform&#039; =&amp;gt; array(&lt;br /&gt;
        &#039;title&#039; =&amp;gt; &#039;string&#039;,&lt;br /&gt;
        &#039;quantity&#039; =&amp;gt; &#039;int&#039;,&lt;br /&gt;
        &#039;state&#039; =&amp;gt; &#039;int&#039;&lt;br /&gt;
    )&lt;br /&gt;
));&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Getting Values from a Specific Super Global===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$foo = $jinput-&amp;gt;get-&amp;gt;get(&#039;varname&#039;, &#039;default_value&#039;, &#039;filter&#039;);&amp;lt;/source&amp;gt;&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$foo = $jinput-&amp;gt;post-&amp;gt;get(&#039;varname&#039;, &#039;default_value&#039;, &#039;filter&#039;);&amp;lt;/source&amp;gt;&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$foo = $jinput-&amp;gt;server-&amp;gt;get(&#039;varname&#039;, &#039;default_value&#039;, &#039;filter&#039;);&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Getting JSON string from request===&lt;br /&gt;
&#039;&#039;&#039;NB!&#039;&#039;&#039; Available since Joomla! Platform 12.1&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$json = $jinput-&amp;gt;json-&amp;gt;get(&#039;varname&#039;);&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Setting Values===&lt;br /&gt;
&lt;br /&gt;
To set a value via JInput, you can use:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;$jinput-&amp;gt;set(&#039;varname&#039;, $foo);&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Retrieving File Data===&lt;br /&gt;
&lt;br /&gt;
The format that PHP returns file data in for arrays can at times be awkward, especially when dealing with arrays of files. JInputFiles provides a convenient interface for making life a little easier, grouping the data by file.&lt;br /&gt;
&lt;br /&gt;
Suppose you have a form like:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;form action=&amp;quot;&amp;lt;?php echo JRoute::_(&#039;index.php?option=com_example&amp;amp;task=file.submit&#039;); ?&amp;gt;&amp;quot; enctype=&amp;quot;multipart/form-data&amp;quot; method=&amp;quot;post&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;input type=&amp;quot;file&amp;quot; name=&amp;quot;jform1[test][]&amp;quot; /&amp;gt;&lt;br /&gt;
	&amp;lt;input type=&amp;quot;file&amp;quot; name=&amp;quot;jform1[test][]&amp;quot; /&amp;gt;&lt;br /&gt;
	&amp;lt;input type=&amp;quot;submit&amp;quot; value=&amp;quot;submit&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/form&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Normally, PHP would put these in an array called &amp;lt;code&amp;gt;$_FILES&amp;lt;/code&amp;gt; that looked like:&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Array&lt;br /&gt;
(&lt;br /&gt;
    [jform1] =&amp;gt; Array&lt;br /&gt;
        (&lt;br /&gt;
            [name] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [test] =&amp;gt; Array&lt;br /&gt;
                        (&lt;br /&gt;
                            [0] =&amp;gt; youtube_icon.png&lt;br /&gt;
                            [1] =&amp;gt; Younger_Son_2.jpg&lt;br /&gt;
                        )&lt;br /&gt;
&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
            [type] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [test] =&amp;gt; Array&lt;br /&gt;
                        (&lt;br /&gt;
                            [0] =&amp;gt; image/png&lt;br /&gt;
                            [1] =&amp;gt; image/jpeg&lt;br /&gt;
                        )&lt;br /&gt;
&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
            [tmp_name] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [test] =&amp;gt; Array&lt;br /&gt;
                        (&lt;br /&gt;
                            [0] =&amp;gt; /tmp/phpXoIpSD&lt;br /&gt;
                            [1] =&amp;gt; /tmp/phpWDE7ye&lt;br /&gt;
                        )&lt;br /&gt;
&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
            [error] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [test] =&amp;gt; Array&lt;br /&gt;
                        (&lt;br /&gt;
                            [0] =&amp;gt; 0&lt;br /&gt;
                            [1] =&amp;gt; 0&lt;br /&gt;
                        )&lt;br /&gt;
&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
            [size] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [test] =&amp;gt; Array&lt;br /&gt;
                        (&lt;br /&gt;
                            [0] =&amp;gt; 34409&lt;br /&gt;
                            [1] =&amp;gt; 99529&lt;br /&gt;
                        )&lt;br /&gt;
&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
        )&lt;br /&gt;
&lt;br /&gt;
)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
JInputFiles produces a result that is cleaner and easier to work with:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$files = $input-&amp;gt;files-&amp;gt;get(&#039;jform1&#039;);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
&amp;lt;code&amp;gt;$files&amp;lt;/code&amp;gt; then becomes:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
Array&lt;br /&gt;
(&lt;br /&gt;
    [test] =&amp;gt; Array&lt;br /&gt;
        (&lt;br /&gt;
            [0] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [name] =&amp;gt; youtube_icon.png&lt;br /&gt;
                    [type] =&amp;gt; image/png&lt;br /&gt;
                    [tmp_name] =&amp;gt; /tmp/phpXoIpSD&lt;br /&gt;
                    [error] =&amp;gt; 0&lt;br /&gt;
                    [size] =&amp;gt; 34409&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
            [1] =&amp;gt; Array&lt;br /&gt;
                (&lt;br /&gt;
                    [name] =&amp;gt; Younger_Son_2.jpg&lt;br /&gt;
                    [type] =&amp;gt; image/jpeg&lt;br /&gt;
                    [tmp_name] =&amp;gt; /tmp/phpWDE7ye&lt;br /&gt;
                    [error] =&amp;gt; 0&lt;br /&gt;
                    [size] =&amp;gt; 99529&lt;br /&gt;
                )&lt;br /&gt;
&lt;br /&gt;
        )&lt;br /&gt;
&lt;br /&gt;
)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In this way, the data from each file element is consolidated into a single array and can be indexed in a more straightforward manner.&lt;br /&gt;
&lt;br /&gt;
== Background ==&lt;br /&gt;
&lt;br /&gt;
This is based on an email discussion: [https://groups.google.com/d/msg/joomla-dev-framework/LbALkK1ifMo/5waSiIlb21gJ Framework List 23 July 2011]&lt;br /&gt;
&lt;br /&gt;
The idea behind JInput is to abstract out the input source to allow code to be reused in different applications and in different contexts.  What I mean by this is that you could have a controller that grabs data from an input source.  Instead of always getting it from the request (i.e. get and post variables), you get it from JInput.  So say for instance you have a MVC triad in your component that is meant to get data from the browser as a client (a typical web application).  Now suppose you want to reuse that same code but interface with it using JSON.  Instead of rewriting your triad, you just extend JInput and have it grab it data from a parsed json object and perform any translation that you need to perform.&lt;br /&gt;
&lt;br /&gt;
The plan is to have JApplication instantiate JInput in its constructor.  Then in your code you get the input object from the application and get your input from there.  It will be a public property in Japplication so that it can be swapped out of that is appropriate.&lt;br /&gt;
&lt;br /&gt;
We get the added benefit that we get rid of the static JRequest which makes a whole bunch the code a whole lot easier to test because you can inject mock inputs directly instead of trying to fudge with hackish dependencies.&lt;br /&gt;
&lt;br /&gt;
The end result will be that your code will get the input object from the application (we will probably add something to JController at some point to make it more convenient to use there as well).&lt;br /&gt;
&lt;br /&gt;
Once you have your JInput object, you use it fairly in a fairly similar manner to how JRequest is used:&lt;br /&gt;
$input-&amp;gt;get(&#039;varname&#039;, &#039;default_value&#039;, &#039;filter&#039;);&lt;br /&gt;
&lt;br /&gt;
Where filter is a filter that is supported by JFilterInput.  JInput::clean proxies to JFilter.  We&#039;ll have to tweak JFilter a little bit so that it is more extensible.  It defaults to cmd so that developers have to be intentional about things if they want to have more lenient filtering.&lt;br /&gt;
&lt;br /&gt;
There is also a getArray method that allows you to specify an array of key and filter pairs so that you can get a whole array of filtered input.&lt;br /&gt;
&lt;br /&gt;
If you want to get data from a specific super global array, you can do $input-&amp;gt;get-&amp;gt;get(...) or $input-&amp;gt;post-&amp;gt;get(...).&lt;br /&gt;
&lt;br /&gt;
JApplication is deprecated, Use JApplicationCms instead unless specified otherwise.  JRequest is deprecated but will remain in the CMS through the 3.x series at a minimum. As such, it is easiest to still use JRequest with CMS applications. In the future get the JInput object from the application instead.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;noinclude&amp;gt;&lt;br /&gt;
[[Category:Tutorials]]&lt;br /&gt;
[[Category:Development]]&lt;br /&gt;
&amp;lt;/noinclude&amp;gt;&lt;/div&gt;</summary>
		<author><name>Globulopolis</name></author>
	</entry>
	<entry>
		<id>https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=304752</id>
		<title>Secure coding guidelines</title>
		<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=304752"/>
		<updated>2016-05-19T15:02:07Z</updated>

		<summary type="html">&lt;p&gt;Globulopolis: Update information about filter options.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;Joomla includes many features that help with the task of securing applications and extensions built on it.  You should always use these features if at all possible as they have been tried and tested by the many eyes of the developer community and any updates that might conceivably be required in the future will be automatically available whenever a Joomla update is applied.  What follows is a description of best practice in using the Joomla API to ensure that your extensions are as secure as possible.&lt;br /&gt;
&lt;br /&gt;
==Getting data from the request==&lt;br /&gt;
{{JVer|3.x}} Starting with Joomla version 3.0, [[Retrieving_request_data_using_JInput|JInput]] should be used instead of [[JRequest]].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
All input originating from a user must be considered potentially dangerous and must be cleaned before being used.  You should always use the Joomla [[Retrieving_request_data_using_JInput|JInput]] class to retrieve data from the request, rather than the raw $_GET, $_POST or $_REQUEST variables as the [[Retrieving_request_data_using_JInput|JInput]] methods apply input filtering by default. JInput deals with all aspects of the user request in a way that is independent of the request method used.  It can also be used to retrieve cookie data and even server and environment variables. However, it is important to use the correct [[Retrieving_request_data_using_JInput|JInput]] method to ensure maximum security.  It is very easy to just use the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method with default parameters and ignore the fact that in many cases it is possible to apply a more stringent requirement on user input.&lt;br /&gt;
&lt;br /&gt;
It very important to understand that the [[Retrieving_request_data_using_JInput|JInput]] methods are not SQL-aware and further work is required to guard against SQL injection attacks.There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]]. If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
&lt;br /&gt;
Using [[Retrieving_request_data_using_JInput|JInput]] also obviates the need to pay attention to the setting of magic_quotes_gpc. [[Retrieving_request_data_using_JInput|JInput]] does the right thing, regardless of whether magic_quotes_gpc is on or off.  See http://php.net/manual/en/security.magicquotes.php for further information.&lt;br /&gt;
&lt;br /&gt;
When considering user input you should think about the data type you are expecting to retrieve and apply the most stringent form of [[Retrieving_request_data_using_JInput#Getting_Values|JInput]] that is applicable in each case.  In particular, avoid the lazy approach of using [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] as this will return an array that may contain entries that you did not expect and although each of those entries will have been cleaned, it is often the case that additional filtering could have been applied to some individual arguments.  For example, the get method treats all arguments as strings, whereas it may be possible to restrict some arguments to be integers.&lt;br /&gt;
&lt;br /&gt;
The first three parameters of each of the JInput get methods are the same.  Only the first parameter is mandatory.  In general, the format is&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
    JFactory::getApplication-&amp;gt;input-&amp;gt;&amp;lt;data-source&amp;gt;-&amp;gt;get&amp;lt;type&amp;gt;( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt; )&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;type&amp;gt; || the data type to be retrieved (see below for the types available).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;amp;lt;data-source&amp;amp;gt; || specifies where the variable is to be retrieved from (see below).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The following values for &amp;amp;lt;data-source&amp;amp;gt; are supported:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| get || Data submitted in the query part of the URL.&lt;br /&gt;
|-&lt;br /&gt;
| post || Data submitted from form fields.&lt;br /&gt;
|-&lt;br /&gt;
| method || The same as either GET or POST depending on how the request was made.&lt;br /&gt;
|-&lt;br /&gt;
| cookie || Data submitted in cookies.&lt;br /&gt;
|-&lt;br /&gt;
| request || All the GET, POST and COOKIE data combined.  This is the default.&lt;br /&gt;
|-&lt;br /&gt;
| files || Information about files uploaded as part of a POST request.&lt;br /&gt;
|-&lt;br /&gt;
| env || Environment variables (platform-specific).&lt;br /&gt;
|-&lt;br /&gt;
| server || Web server variables (platform-specific).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Notice that the default is REQUEST, which includes cookie data.&lt;br /&gt;
&lt;br /&gt;
The following sections look at each of the data types in more detail.&lt;br /&gt;
&lt;br /&gt;
===Integer===&lt;br /&gt;
The following will accept an integer.  An integer can include a leading minus sign, but a plus sign is not permitted.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;getInt( &#039;id&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;id&amp;quot; argument from the request (which by default includes all GET, POST and COOKIE data).  The default value is zero.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getInt( &#039;myId&#039;, 12 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;myId&amp;quot; variable from a cookie, with a default value of 12.&lt;br /&gt;
&lt;br /&gt;
===Floating point number===&lt;br /&gt;
A floating point number can include a leading minus sign, but not a plus sign.  If the number includes a decimal point, then there must be at least one digit before the decimal point.  For example,&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;getFloat( &#039;price&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &#039;price&#039; argument from the request.  The default is &amp;quot;0.0&amp;quot;.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getFloat( &#039;total&#039;, 100.00 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;total&#039; argument from a POST request (but not a GET), with a default value of 100.00.&lt;br /&gt;
&lt;br /&gt;
===Boolean value===&lt;br /&gt;
Any non-zero value is regarded as being true; zero is false.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;getBool( &#039;show&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return false if the value of the &#039;show&#039; argument in the request is zero, or 1 (true) if the argument is anything else.  The default is false.  Note that any string argument will result in a return value of true, so calling the above with a URL containing &amp;quot;?show=false&amp;quot; will actually return true!&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;get-&amp;gt;getBool( &#039;hide&#039;, true );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;hide&#039; argument from a GET request (but not a POST), with a default value of true.&lt;br /&gt;
&lt;br /&gt;
===Word===&lt;br /&gt;
A word is defined as being a string of alphabetic characters.  The underscore character is permitted as part of a word.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;search-word&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;search-word&#039; argument from the request.  The default is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;keyword&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;keyword&#039; variable from a cookie, with the default being an empty string.&lt;br /&gt;
&lt;br /&gt;
===Command===&lt;br /&gt;
A command is like a word but a wider range of characters is permitted.  Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;getCmd( &#039;option&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;option&amp;quot; argument from the request.  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getCmd( &#039;controller&#039;, &#039;view&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;controller&amp;quot; argument from a POST request (but not a GET), with a default value of &#039;view&#039;.&lt;br /&gt;
&lt;br /&gt;
===String===&lt;br /&gt;
The string type allows a much wider range of input characters.  It also takes an optional fourth argument specifying some additional mask options.  See [[#Filter options]] for information on the available masks.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;description&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;description&amp;quot; argument from the request.  The default value is an empty string.  The input will have whitespace removed from the left and right ends and any HTML tags will be removed.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;text&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;text&amp;quot; argument from the request..  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;template&#039;, &#039;&amp;lt;html /&amp;gt;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;template&amp;quot; argument from the request.  The default value is &#039;&amp;lt;html /&amp;gt;&#039;.&lt;br /&gt;
&lt;br /&gt;
===Generic and other data types===&lt;br /&gt;
If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method directly.  The syntax is:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JFactory::getApplication-&amp;gt;input-&amp;gt;get( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.  There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]].   If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || specifies the data type expected (see below).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The first three arguments are the same as for the more specific methods described earlier.  Only the first argument is mandatory.&lt;br /&gt;
&lt;br /&gt;
Allowed values of the &amp;lt;type&amp;gt;, which is case-insensitive, are as follows:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| INT, INTEGER || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
|-&lt;br /&gt;
| UINT || Get an unsigned integer. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getUint]].&lt;br /&gt;
|-&lt;br /&gt;
| FLOAT, DOUBLE || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getFloat]].&lt;br /&gt;
|-&lt;br /&gt;
| BOOL, BOOLEAN || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getBool]].&lt;br /&gt;
|-&lt;br /&gt;
| WORD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getWord]].&lt;br /&gt;
|-&lt;br /&gt;
| ALNUM || Allow only alphanumeric characters (a-z, A-Z, 0-9). Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getAlnum]].&lt;br /&gt;
|-&lt;br /&gt;
| CMD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getCmd]].&lt;br /&gt;
|-&lt;br /&gt;
| BASE64 || Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =). Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getBase64]].&lt;br /&gt;
|-&lt;br /&gt;
| STRING || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getString]].&lt;br /&gt;
|-&lt;br /&gt;
| ARRAY || Source is not filtered but is cast to array type.&lt;br /&gt;
|-&lt;br /&gt;
| HTML || A sanitised string. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getHtml]].&lt;br /&gt;
|-&lt;br /&gt;
| PATH || Valid pathname regex that filters out common attacks.  For example, any path beginning with a &amp;quot;/&amp;quot; will return an empty string.  Simliarly, any path containing &amp;quot;/./&amp;quot; or &amp;quot;/../&amp;quot; will return an empty string.  Dots within filenames are okay though. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getPath]].&lt;br /&gt;
|-&lt;br /&gt;
| USERNAME || Removes control characters (0x00 - 0x1F), 0x7F, &amp;lt;, &amp;gt;, &amp;quot;, &#039;, % and &amp;amp;. Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getUsername]].&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===Filter options===&lt;br /&gt;
All input values can be filtered using JFilterInput-&amp;gt;clean.&lt;br /&gt;
&lt;br /&gt;
Filter an array of values.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$data = JFactory::getApplication()-&amp;gt;input-&amp;gt;post-&amp;gt;get(&#039;data&#039;, array(), &#039;array&#039;);&lt;br /&gt;
$filter = JFilterInput::getInstance();&lt;br /&gt;
&lt;br /&gt;
foreach ($data as $value)&lt;br /&gt;
{&lt;br /&gt;
	$array[] = $filter-&amp;gt;clean($value, &#039;string&#039;);&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
For more filter types see [https://github.com/joomla/joomla-cms/blob/master/libraries/joomla/filter/input.php#L115 JFilterInput source].&lt;br /&gt;
&lt;br /&gt;
Options listed bellow available only in deprecated [[JRequest]] library.&lt;br /&gt;
Allowed values of &amp;lt;options&amp;gt; are as follows (none of these are applied by default):&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| JREQUEST_NOTRIM || Does not remove whitespace from the start and ends of strings.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWRAW || Does not do any filtering at all.  Use with extreme caution.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWHTML || Does not remove HTML from string inputs.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Masks can be combined by logically OR&#039;ing them.  If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.&lt;br /&gt;
&lt;br /&gt;
===File uploads===&lt;br /&gt;
Web servers already have a good deal of security around handling file uploads, but it is still necessary to take additional steps to ensure that file names and paths cannot be abused.  A simplified form which requests a file to be uploaded looks like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;form action=&amp;quot;index.php?option=com_mycomponent/form_handler.php&amp;quot;  method=&amp;quot;post&amp;quot; enctype=&amp;quot;multipart/form-data&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;input type=&amp;quot;file&amp;quot; name=&amp;quot;Filedata&amp;quot; /&amp;gt;&lt;br /&gt;
    &amp;lt;input type=&amp;quot;submit&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/form&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
On clicking the submit button, the browser will upload the file in a POST request, passing control to Joomla which will call &amp;quot;components/com_mycomponent/form_handler.php&amp;quot;.  This will include code like the following.  The variable $somepath must be set to some path where the web server has permission to create files.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Check to ensure this file is included in Joomla!&lt;br /&gt;
defined(&#039;_JEXEC&#039;) or die( &#039;Restricted access&#039; );&lt;br /&gt;
&lt;br /&gt;
// Get the file data array from the request.&lt;br /&gt;
$file = JFactory::getApplication-&amp;gt;input-&amp;gt;get( &#039;Filedata&#039;, &#039;&#039;, &#039;files&#039;, &#039;array&#039; );&lt;br /&gt;
&lt;br /&gt;
// Make the file name safe.&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$file[&#039;name&#039;] = JFile::makeSafe($file[&#039;name&#039;]);&lt;br /&gt;
&lt;br /&gt;
// Move the uploaded file into a permanent location.&lt;br /&gt;
if (isset( $file[&#039;name&#039;] )) {&lt;br /&gt;
&lt;br /&gt;
    // Make sure that the full file path is safe.&lt;br /&gt;
    $filepath = JPath::clean( $somepath.&#039;/&#039;.strtolower( $file[&#039;name&#039;] ) );&lt;br /&gt;
&lt;br /&gt;
    // Move the uploaded file.&lt;br /&gt;
    JFile::upload( $file[&#039;tmp_name&#039;], $filepath );&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Saving a request variable into user state===&lt;br /&gt;
Because setting a user state variable from a variable in the request is such a common operation, there is an API method to make the task easier.  This is generally safe to use because it calls [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] to obtain the input from the request, but remember that none of the input filtering calls will protect against SQL injection attempts.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &amp;lt;key&amp;gt;, &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;key&amp;gt; || the name of the variable in the user state.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the request variable (same as the first argument of a [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] call).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value to be assigned to the user state variable if the request variable is absent.  The default is null.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || the type of variable expected.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
For example, getting an integer variable called &#039;id&#039; from the request with a default value of 0, then saving it into a session variable called &#039;myid&#039; can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &#039;myid&#039;, &#039;id, 0, &#039;int&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
instead of something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;setUserState( &#039;myid&#039;, $app-&amp;gt;input-&amp;gt;getInt( &#039;id&#039;, 0 ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Constructing SQL queries==&lt;br /&gt;
One of the most common forms of attack on web applications is SQL injection, where the aim of the attacker is to change a database query by exploiting a poorly filtered input variable.  Injecting modified SQL statements into the database can damage data or reveal private information.  It is important to ensure that when SQL statements are constructed, they are correctly escaped and quoted so that bad input data cannot result in a bad SQL statement. You cannot rely on the [[Retrieving_request_data_using_JInput|JInput]] methods to do this as they are not SQL-aware.&lt;br /&gt;
&lt;br /&gt;
===Secure integers and the rest of numeric values===&lt;br /&gt;
With the MySQL database, numeric fields should not be quoted, so it is important that they be typecast instead.  Failure to do this will leave your code vulnerable to an attacker inserting a string containing SQL data.&lt;br /&gt;
&lt;br /&gt;
Depending on the type, numeric types are cast like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// For SQL data types: INT, INTEGER, TINYINT, SMALLINT, MEDIUMINT, BIGINT, YEAR&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (int) $id;&lt;br /&gt;
&lt;br /&gt;
// For SQL data types: FLOAT, DOUBLE&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (float) $id;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
It&#039;s a good idea to get into the habit of always typecasting integers like this even if the variable was previously obtained using [[Further information on SQL injection attacks can be found here: http://php.net/manual/en/security.database.sql-injection.php and here: [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
&lt;br /&gt;
===Secure strings===&lt;br /&gt;
In the examples that follow it is assumed that $db is an instance of a Joomla database object.  This can always be obtained from [[JFactory]] using&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$db = JFactory::getDBO();&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Strings should always be escaped before being used in an SQL statement.  This is actually very simple as the [[JDatabase/quote|JDatabase-&amp;gt;quote]] method escapes everything for you.  You can also use the [[JDatabase/escape|JDatabase-&amp;gt;escape]] method directly.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $db-&amp;gt;escape( $field ), false );&lt;br /&gt;
&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $field );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
===Secure on search===&lt;br /&gt;
Special attention should be paid to LIKE clauses which contain the % wildcard character as these require special escaping in order to avoid possible denial of service attacks.  LIKE clauses can be handled like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Construct the search term by escaping the user-supplied string and, if required, adding the % wildcard characters manually.&lt;br /&gt;
$search = &#039;%&#039; . $db-&amp;gt;escape( $search, true ) . &#039;%&#039; );&lt;br /&gt;
&lt;br /&gt;
// Construct the SQL query, being careful to suppress the default behaviour of Quote so as to prevent double-escaping.&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` LIKE &#039; . $db-&amp;gt;quote( $search, false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure dates===&lt;br /&gt;
If data is to be entered into a datetime column then you can use the Joomla API to ensure a valid date format:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$date = JFactory::getDate( $mydate );&lt;br /&gt;
$query = &#039;UPDATE #__table SET `date` = &#039; . $db-&amp;gt;quote( $date-&amp;gt;toMySQL(), false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Note that it is necessary to suppress database escaping as legitimate dates may contain characters that should not be escaped.&lt;br /&gt;
&lt;br /&gt;
===Secure field names===&lt;br /&gt;
In the comparatively rare case where a field name is a variable, that should also be quoted using an API call:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure arrays of integers===&lt;br /&gt;
When you have an array of ids, typically used for IN() queries, you have to sanitise it also with JArrayHelper::toInteger($cid); before imploding: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
JArrayHelper::toInteger($catId);&lt;br /&gt;
$query-&amp;gt;where($db-&amp;gt;quoteName(&#039;x.category_id&#039;) . &#039; IN (&#039; . implode(&#039;,&#039;, $catId) . &#039;)&#039;);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Short aliases of Quote and QuoteName===&lt;br /&gt;
Shorter alternatives to the quote methods may also be used.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;qn( $field-name ) . &#039;=&#039; . $db-&amp;gt;q( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Securing forms==&lt;br /&gt;
Apart from cleaning input variables as described above, you can also implement a simple technique which makes it more difficult for a cross-site request forgery attack (CSRF) to succeed. This involves adding a randomly-generated unique token to the form which is checked against a copy of the token held in the user&#039;s session.  By checking that the submitted token matches the one contained in the stored session, it is possible to tie a rendered form to the request variables presented.&lt;br /&gt;
&lt;br /&gt;
In POST forms you should add a hidden token field using:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JHTML::_( &#039;form.token&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This outputs the token as a hidden form field looking like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;8cb24ae69ffd7828ccecbcf06056e6fc&amp;quot; value=&amp;quot;1&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
and places a copy of the token into the user&#039;s session, for later checking.&lt;br /&gt;
&lt;br /&gt;
If you need to add the token to a URL rather than a form then you can use something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JRoute::_( &#039;index.php?option=com_mycomponent&amp;amp;&#039; . JSession::getFormToken() . &#039;=1&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the most common scenario, you will want to check the token following a POST to the form handler.  This can be done by adding this line of code to form handler:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken() or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
If you need to pass the token in a GET request then you can check it like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken( &#039;get&#039; ) or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In both cases the code will die if the token is omitted from the request, or the submitted token does not match the session token.  If the token is correct but has expired, then [[JSession/checkToken|JSession::checkToken]] will automatically redirect to the site front page.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem paths==&lt;br /&gt;
If there is any possibility that a filesystem path might be constructed using data that originated from user input, then the path must be cleaned and checked before being used.  This can be done quite simply like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JPath::check( $path );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This will raise an error and terminate Joomla if the path contains a &amp;quot;..&amp;quot; or leads to a location outside the Joomla root directory.  If you want to deal with the error yourself without terminating the application, then you can use code like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$path = JPath::clean( $path );&lt;br /&gt;
if (strpos( $path, JPath::clean( JPATH_ROOT ) ) !== 0) {&lt;br /&gt;
    // Handle the error here.&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
The [[JPath:clean]] method can be used in your own code too.  It merely removes leading and trailing whitespace and replace double slashes and backslashes with the standard directory separator.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem file names==&lt;br /&gt;
As with filesystem paths, if there is any possibility that a file name might be constructed using user-originated data, then the file name must be cleaned and checked before use.  This can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$clean = JFile::makeSafe( $unclean );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This method removes sequences of two or more &amp;quot;.&amp;quot; characters and any character that is not alphabetic, numeric or a dot, dash or underscore character.  If there is a leading dot then that is removed too.&lt;br /&gt;
[[Category:Development]][[Category:Security]]&lt;/div&gt;</summary>
		<author><name>Globulopolis</name></author>
	</entry>
	<entry>
		<id>https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=274088</id>
		<title>Secure coding guidelines</title>
		<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/index.php?title=Secure_coding_guidelines&amp;diff=274088"/>
		<updated>2016-02-15T20:39:44Z</updated>

		<summary type="html">&lt;p&gt;Globulopolis: Remove deprecated JRequest and update to actual JInput and JSession.&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{page|needs technical review|This page uses out of date standards e.g. JRequest}}&lt;br /&gt;
Joomla includes many features that help with the task of securing applications and extensions built on it.  You should always use these features if at all possible as they have been tried and tested by the many eyes of the developer community and any updates that might conceivably be required in the future will be automatically available whenever a Joomla update is applied.  What follows is a description of best practice in using the Joomla API to ensure that your extensions are as secure as possible.&lt;br /&gt;
&lt;br /&gt;
==Getting data from the request==&lt;br /&gt;
{{JVer|3.x}} Starting with Joomla version 3.0, [[Retrieving_request_data_using_JInput|JInput]] should be used instead of [[JRequest]].&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
All input originating from a user must be considered potentially dangerous and must be cleaned before being used.  You should always use the Joomla [[Retrieving_request_data_using_JInput|JInput]] class to retrieve data from the request, rather than the raw $_GET, $_POST or $_REQUEST variables as the [[Retrieving_request_data_using_JInput|JInput]] methods apply input filtering by default. JInput deals with all aspects of the user request in a way that is independent of the request method used.  It can also be used to retrieve cookie data and even server and environment variables. However, it is important to use the correct [[Retrieving_request_data_using_JInput|JInput]] method to ensure maximum security.  It is very easy to just use the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method with default parameters and ignore the fact that in many cases it is possible to apply a more stringent requirement on user input.&lt;br /&gt;
&lt;br /&gt;
It very important to understand that the [[Retrieving_request_data_using_JInput|JInput]] methods are not SQL-aware and further work is required to guard against SQL injection attacks.There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]]. If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
&lt;br /&gt;
Using [[Retrieving_request_data_using_JInput|JInput]] also obviates the need to pay attention to the setting of magic_quotes_gpc. [[Retrieving_request_data_using_JInput|JInput]] does the right thing, regardless of whether magic_quotes_gpc is on or off.  See http://php.net/manual/en/security.magicquotes.php for further information.&lt;br /&gt;
&lt;br /&gt;
When considering user input you should think about the data type you are expecting to retrieve and apply the most stringent form of [[Retrieving_request_data_using_JInput#Getting_Values|JInput]] that is applicable in each case.  In particular, avoid the lazy approach of using [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] as this will return an array that may contain entries that you did not expect and although each of those entries will have been cleaned, it is often the case that additional filtering could have been applied to some individual arguments.  For example, the get method treats all arguments as strings, whereas it may be possible to restrict some arguments to be integers.&lt;br /&gt;
&lt;br /&gt;
The first three parameters of each of the JInput get methods are the same.  Only the first parameter is mandatory.  In general, the format is&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
    JFactory::getApplication-&amp;gt;input-&amp;gt;&amp;lt;data-source&amp;gt;-&amp;gt;get&amp;lt;type&amp;gt;( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;filter&amp;gt; )&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;type&amp;gt; || the data type to be retrieved (see below for the types available).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;amp;lt;data-source&amp;amp;gt; || specifies where the variable is to be retrieved from (see below).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;amp;lt;filter&amp;amp;gt; || specifies how JInput should filter variable value. See [[JFilterInput|JFilterInput-&amp;gt;clean]]&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The following values for &amp;amp;lt;data-source&amp;amp;gt; are supported:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| get || Data submitted in the query part of the URL.&lt;br /&gt;
|-&lt;br /&gt;
| post || Data submitted from form fields.&lt;br /&gt;
|-&lt;br /&gt;
| method || The same as either GET or POST depending on how the request was made.&lt;br /&gt;
|-&lt;br /&gt;
| cookie || Data submitted in cookies.&lt;br /&gt;
|-&lt;br /&gt;
| request || All the GET, POST and COOKIE data combined.  This is the default.&lt;br /&gt;
|-&lt;br /&gt;
| files || Information about files uploaded as part of a POST request.&lt;br /&gt;
|-&lt;br /&gt;
| env || Environment variables (platform-specific).&lt;br /&gt;
|-&lt;br /&gt;
| server || Web server variables (platform-specific).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Notice that the default is REQUEST, which includes cookie data.&lt;br /&gt;
&lt;br /&gt;
The following sections look at each of the data types in more detail.&lt;br /&gt;
&lt;br /&gt;
===Integer===&lt;br /&gt;
The following will accept an integer.  An integer can include a leading minus sign, but a plus sign is not permitted.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;getInt( &#039;id&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;id&amp;quot; argument from the request (which by default includes all GET, POST and COOKIE data).  The default value is zero.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$integer = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getInt( &#039;myId&#039;, 12 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &amp;quot;myId&amp;quot; variable from a cookie, with a default value of 12.&lt;br /&gt;
&lt;br /&gt;
===Floating point number===&lt;br /&gt;
A floating point number can include a leading minus sign, but not a plus sign.  If the number includes a decimal point, then there must be at least one digit before the decimal point.  For example,&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;getFloat( &#039;price&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return the value of the &#039;price&#039; argument from the request.  The default is &amp;quot;0.0&amp;quot;.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$float = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getFloat( &#039;total&#039;, 100.00 );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;total&#039; argument from a POST request (but not a GET), with a default value of 100.00.&lt;br /&gt;
&lt;br /&gt;
===Boolean value===&lt;br /&gt;
Any non-zero value is regarded as being true; zero is false.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;getBool( &#039;show&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will return false if the value of the &#039;show&#039; argument in the request is zero, or 1 (true) if the argument is anything else.  The default is false.  Note that any string argument will result in a return value of true, so calling the above with a URL containing &amp;quot;?show=false&amp;quot; will actually return true!&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$boolean = JFactory::getApplication-&amp;gt;input-&amp;gt;get-&amp;gt;getBool( &#039;hide&#039;, true );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;hide&#039; argument from a GET request (but not a POST), with a default value of true.&lt;br /&gt;
&lt;br /&gt;
===Word===&lt;br /&gt;
A word is defined as being a string of alphabetic characters.  The underscore character is permitted as part of a word.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;search-word&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;search-word&#039; argument from the request.  The default is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$word = JFactory::getApplication-&amp;gt;input-&amp;gt;cookie-&amp;gt;getWord( &#039;keyword&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &#039;keyword&#039; variable from a cookie, with the default being an empty string.&lt;br /&gt;
&lt;br /&gt;
===Command===&lt;br /&gt;
A command is like a word but a wider range of characters is permitted.  Allowed characters are: all alphanumeric characters, dot, dash (hyphen) and underscore.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;getCmd( &#039;option&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;option&amp;quot; argument from the request.  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$command = JFactory::getApplication-&amp;gt;input-&amp;gt;post-&amp;gt;getCmd( &#039;controller&#039;, &#039;view&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;controller&amp;quot; argument from a POST request (but not a GET), with a default value of &#039;view&#039;.&lt;br /&gt;
&lt;br /&gt;
===String===&lt;br /&gt;
The string type allows a much wider range of input characters.  It also takes an optional fourth argument specifying some additional mask options.  See [[#Filter options]] for information on the available masks.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;description&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;description&amp;quot; argument from the request.  The default value is an empty string.  The input will have whitespace removed from the left and right ends and any HTML tags will be removed.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;text&#039;, &#039;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;text&amp;quot; argument from the request..  The default value is an empty string.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$string = JFactory::getApplication-&amp;gt;input-&amp;gt;getString( &#039;template&#039;, &#039;&amp;lt;html /&amp;gt;&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
will retrieve the value of the &amp;quot;template&amp;quot; argument from the request.  The default value is &#039;&amp;lt;html /&amp;gt;&#039;.&lt;br /&gt;
&lt;br /&gt;
===Generic and other data types===&lt;br /&gt;
If the above methods do not meet your needs, there is a small number of additional filter types which you can use by calling the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] method directly.  The syntax is:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JFactory::getApplication-&amp;gt;input-&amp;gt;get( &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the variable to be retrieved (for example, the name of an argument in a URL).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value.  There is no default value that will be returned if no default is specified in the call the [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]].   If no default is specified and the argument is not present in the request variable then it will return undefined.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || specifies the data type expected (see below).&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The first three arguments are the same as for the more specific methods described earlier.  Only the first argument is mandatory.&lt;br /&gt;
&lt;br /&gt;
Allowed values of the &amp;lt;type&amp;gt;, which is case-insensitive, are as follows:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| INT, INTEGER || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
|-&lt;br /&gt;
| FLOAT, DOUBLE || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getFloat]].&lt;br /&gt;
|-&lt;br /&gt;
| BOOL, BOOLEAN || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getBool]].&lt;br /&gt;
|-&lt;br /&gt;
| WORD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getWord]].&lt;br /&gt;
|-&lt;br /&gt;
| ALNUM || Allow only alphanumeric characters (a-z, A-Z, 0-9).&lt;br /&gt;
|-&lt;br /&gt;
| CMD || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getCmd]].&lt;br /&gt;
|-&lt;br /&gt;
| BASE64 || Allow only those characters that could be present in a base64-encoded string (ie. a-z, A-Z, 0-9, /, + and =).&lt;br /&gt;
|-&lt;br /&gt;
| STRING || Equivalent to [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getString]].&lt;br /&gt;
|-&lt;br /&gt;
| ARRAY || Source is not filtered but is cast to array type.&lt;br /&gt;
|-&lt;br /&gt;
| PATH || Valid pathname regex that filters out common attacks.  For example, any path beginning with a &amp;quot;/&amp;quot; will return an empty string.  Simliarly, any path containing &amp;quot;/./&amp;quot; or &amp;quot;/../&amp;quot; will return an empty string.  Dots within filenames are okay though.&lt;br /&gt;
|-&lt;br /&gt;
| USERNAME || Removes control characters (0x00 - 0x1F), 0x7F, &amp;lt;, &amp;gt;, &amp;quot;, &#039;, % and &amp;amp;.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
===Filter options===&lt;br /&gt;
Allowed values of &amp;lt;options&amp;gt; are as follows (none of these are applied by default):&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| JREQUEST_NOTRIM || Does not remove whitespace from the start and ends of strings.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWRAW || Does not do any filtering at all.  Use with extreme caution.&lt;br /&gt;
|-&lt;br /&gt;
| JREQUEST_ALLOWHTML || Does not remove HTML from string inputs.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
Masks can be combined by logically OR&#039;ing them.  If no filter options are specified, then by default, whitespace is trimmed and HTML is removed.&lt;br /&gt;
&lt;br /&gt;
===File uploads===&lt;br /&gt;
Web servers already have a good deal of security around handling file uploads, but it is still necessary to take additional steps to ensure that file names and paths cannot be abused.  A simplified form which requests a file to be uploaded looks like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;form action=&amp;quot;index.php?option=com_mycomponent/form_handler.php&amp;quot;  method=&amp;quot;post&amp;quot; enctype=&amp;quot;multipart/form-data&amp;quot;&amp;gt;&lt;br /&gt;
        &amp;lt;input type=&amp;quot;file&amp;quot; name=&amp;quot;Filedata&amp;quot; /&amp;gt;&lt;br /&gt;
    &amp;lt;input type=&amp;quot;submit&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/form&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
On clicking the submit button, the browser will upload the file in a POST request, passing control to Joomla which will call &amp;quot;components/com_mycomponent/form_handler.php&amp;quot;.  This will include code like the following.  The variable $somepath must be set to some path where the web server has permission to create files.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Check to ensure this file is included in Joomla!&lt;br /&gt;
defined(&#039;_JEXEC&#039;) or die( &#039;Restricted access&#039; );&lt;br /&gt;
&lt;br /&gt;
// Get the file data array from the request.&lt;br /&gt;
$file = JFactory::getApplication-&amp;gt;input-&amp;gt;get( &#039;Filedata&#039;, &#039;&#039;, &#039;files&#039;, &#039;array&#039; );&lt;br /&gt;
&lt;br /&gt;
// Make the file name safe.&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$file[&#039;name&#039;] = JFile::makeSafe($file[&#039;name&#039;]);&lt;br /&gt;
&lt;br /&gt;
// Move the uploaded file into a permanent location.&lt;br /&gt;
if (isset( $file[&#039;name&#039;] )) {&lt;br /&gt;
&lt;br /&gt;
    // Make sure that the full file path is safe.&lt;br /&gt;
    $filepath = JPath::clean( $somepath.&#039;/&#039;.strtolower( $file[&#039;name&#039;] ) );&lt;br /&gt;
&lt;br /&gt;
    // Move the uploaded file.&lt;br /&gt;
    JFile::upload( $file[&#039;tmp_name&#039;], $filepath );&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Saving a request variable into user state===&lt;br /&gt;
Because setting a user state variable from a variable in the request is such a common operation, there is an API method to make the task easier.  This is generally safe to use because it calls [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] to obtain the input from the request, but remember that none of the input filtering calls will protect against SQL injection attempts.&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &amp;lt;key&amp;gt;, &amp;lt;name&amp;gt;, &amp;lt;default&amp;gt;, &amp;lt;type&amp;gt; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
where&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot; border=&amp;quot;1&amp;quot;&lt;br /&gt;
| &amp;lt;key&amp;gt; || the name of the variable in the user state.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;name&amp;gt; || the name of the request variable (same as the first argument of a [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;get]] call).&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;default&amp;gt; || the default value to be assigned to the user state variable if the request variable is absent.  The default is null.&lt;br /&gt;
|-&lt;br /&gt;
| &amp;lt;type&amp;gt; || the type of variable expected.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
For example, getting an integer variable called &#039;id&#039; from the request with a default value of 0, then saving it into a session variable called &#039;myid&#039; can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;getUserStateFromRequest( &#039;myid&#039;, &#039;id, 0, &#039;int&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
instead of something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$app = JFactory::getApplication();&lt;br /&gt;
$app-&amp;gt;setUserState( &#039;myid&#039;, $app-&amp;gt;input-&amp;gt;getInt( &#039;id&#039;, 0 ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Constructing SQL queries==&lt;br /&gt;
One of the most common forms of attack on web applications is SQL injection, where the aim of the attacker is to change a database query by exploiting a poorly filtered input variable.  Injecting modified SQL statements into the database can damage data or reveal private information.  It is important to ensure that when SQL statements are constructed, they are correctly escaped and quoted so that bad input data cannot result in a bad SQL statement. You cannot rely on the [[Retrieving_request_data_using_JInput|JInput]] methods to do this as they are not SQL-aware.&lt;br /&gt;
&lt;br /&gt;
===Secure integers and the rest of numeric values===&lt;br /&gt;
With the MySQL database, numeric fields should not be quoted, so it is important that they be typecast instead.  Failure to do this will leave your code vulnerable to an attacker inserting a string containing SQL data.&lt;br /&gt;
&lt;br /&gt;
Depending on the type, numeric types are cast like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// For SQL data types: INT, INTEGER, TINYINT, SMALLINT, MEDIUMINT, BIGINT, YEAR&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (int) $id;&lt;br /&gt;
&lt;br /&gt;
// For SQL data types: FLOAT, DOUBLE&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `id`=&#039; . (float) $id;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
It&#039;s a good idea to get into the habit of always typecasting integers like this even if the variable was previously obtained using [[Further information on SQL injection attacks can be found here: http://php.net/manual/en/security.database.sql-injection.php and here: [[Retrieving_request_data_using_JInput#Getting_Values|JInput-&amp;gt;getInt]].&lt;br /&gt;
&lt;br /&gt;
===Secure strings===&lt;br /&gt;
In the examples that follow it is assumed that $db is an instance of a Joomla database object.  This can always be obtained from [[JFactory]] using&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$db = JFactory::getDBO();&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Strings should always be escaped before being used in an SQL statement.  This is actually very simple as the [[JDatabase/quote|JDatabase-&amp;gt;quote]] method escapes everything for you.  You can also use the [[JDatabase/escape|JDatabase-&amp;gt;escape]] method directly.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $db-&amp;gt;escape( $field ), false );&lt;br /&gt;
&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` = &#039; . $db-&amp;gt;quote( $field );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
===Secure on search===&lt;br /&gt;
Special attention should be paid to LIKE clauses which contain the % wildcard character as these require special escaping in order to avoid possible denial of service attacks.  LIKE clauses can be handled like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
// Construct the search term by escaping the user-supplied string and, if required, adding the % wildcard characters manually.&lt;br /&gt;
$search = &#039;%&#039; . $db-&amp;gt;escape( $search, true ) . &#039;%&#039; );&lt;br /&gt;
&lt;br /&gt;
// Construct the SQL query, being careful to suppress the default behaviour of Quote so as to prevent double-escaping.&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE `field` LIKE &#039; . $db-&amp;gt;quote( $search, false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure dates===&lt;br /&gt;
If data is to be entered into a datetime column then you can use the Joomla API to ensure a valid date format:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$date = JFactory::getDate( $mydate );&lt;br /&gt;
$query = &#039;UPDATE #__table SET `date` = &#039; . $db-&amp;gt;quote( $date-&amp;gt;toMySQL(), false );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
Note that it is necessary to suppress database escaping as legitimate dates may contain characters that should not be escaped.&lt;br /&gt;
&lt;br /&gt;
===Secure field names===&lt;br /&gt;
In the comparatively rare case where a field name is a variable, that should also be quoted using an API call:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Secure arrays of integers===&lt;br /&gt;
When you have an array of ids, typically used for IN() queries, you have to sanitise it also with JArrayHelper::toInteger($cid); before imploding: &lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
...&lt;br /&gt;
JArrayHelper::toInteger($catId);&lt;br /&gt;
$query-&amp;gt;where($db-&amp;gt;quoteName(&#039;x.category_id&#039;) . &#039; IN (&#039; . implode(&#039;,&#039;, $catId) . &#039;)&#039;);&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
===Short aliases of Quote and QuoteName===&lt;br /&gt;
Shorter alternatives to the quote methods may also be used.  The following statements are equivalent:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;quoteName( $field-name ) . &#039;=&#039; . $db-&amp;gt;quote( $field-value );&lt;br /&gt;
$query = &#039;SELECT * FROM #__table WHERE &#039; . $db-&amp;gt;qn( $field-name ) . &#039;=&#039; . $db-&amp;gt;q( $field-value );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Securing forms==&lt;br /&gt;
Apart from cleaning input variables as described above, you can also implement a simple technique which makes it more difficult for a cross-site request forgery attack (CSRF) to succeed. This involves adding a randomly-generated unique token to the form which is checked against a copy of the token held in the user&#039;s session.  By checking that the submitted token matches the one contained in the stored session, it is possible to tie a rendered form to the request variables presented.&lt;br /&gt;
&lt;br /&gt;
In POST forms you should add a hidden token field using:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JHTML::_( &#039;form.token&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This outputs the token as a hidden form field looking like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;html4strict&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;input type=&amp;quot;hidden&amp;quot; name=&amp;quot;8cb24ae69ffd7828ccecbcf06056e6fc&amp;quot; value=&amp;quot;1&amp;quot; /&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
and places a copy of the token into the user&#039;s session, for later checking.&lt;br /&gt;
&lt;br /&gt;
If you need to add the token to a URL rather than a form then you can use something like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
echo JRoute::_( &#039;index.php?option=com_mycomponent&amp;amp;&#039; . JSession::getFormToken() . &#039;=1&#039; );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the most common scenario, you will want to check the token following a POST to the form handler.  This can be done by adding this line of code to form handler:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken() or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
If you need to pass the token in a GET request then you can check it like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JSession::checkToken( &#039;get&#039; ) or die( JText::_( &#039;Invalid Token&#039; ) );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In both cases the code will die if the token is omitted from the request, or the submitted token does not match the session token.  If the token is correct but has expired, then [[JSession/checkToken|JSession::checkToken]] will automatically redirect to the site front page.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem paths==&lt;br /&gt;
If there is any possibility that a filesystem path might be constructed using data that originated from user input, then the path must be cleaned and checked before being used.  This can be done quite simply like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
JPath::check( $path );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This will raise an error and terminate Joomla if the path contains a &amp;quot;..&amp;quot; or leads to a location outside the Joomla root directory.  If you want to deal with the error yourself without terminating the application, then you can use code like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
$path = JPath::clean( $path );&lt;br /&gt;
if (strpos( $path, JPath::clean( JPATH_ROOT ) ) !== 0) {&lt;br /&gt;
    // Handle the error here.&lt;br /&gt;
}&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
The [[JPath:clean]] method can be used in your own code too.  It merely removes leading and trailing whitespace and replace double slashes and backslashes with the standard directory separator.&lt;br /&gt;
&lt;br /&gt;
==Cleaning filesystem file names==&lt;br /&gt;
As with filesystem paths, if there is any possibility that a file name might be constructed using user-originated data, then the file name must be cleaned and checked before use.  This can be done like this:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
jimport(&#039;joomla.filesystem.file&#039;);&lt;br /&gt;
$clean = JFile::makeSafe( $unclean );&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
This method removes sequences of two or more &amp;quot;.&amp;quot; characters and any character that is not alphabetic, numeric or a dot, dash or underscore character.  If there is a leading dot then that is removed too.&lt;br /&gt;
[[Category:Development]][[Category:Security]]&lt;/div&gt;</summary>
		<author><name>Globulopolis</name></author>
	</entry>
	<entry>
		<id>https://docs.sandbox.joomla.org/index.php?title=Manifest_files&amp;diff=177434</id>
		<title>Manifest files</title>
		<link rel="alternate" type="text/html" href="https://docs.sandbox.joomla.org/index.php?title=Manifest_files&amp;diff=177434"/>
		<updated>2015-04-30T13:45:22Z</updated>

		<summary type="html">&lt;p&gt;Globulopolis: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;{{version|2.5,3.x}}&lt;br /&gt;
&lt;br /&gt;
Within Joomla there are manifest files for all of the extensions. These files include the general installation information as well as parameters for the configuration of the [[extension]] itself. Since Joomla! 2.5 {{JVer|2.5}}, there are very few differences between the manifest file formats for the different [[S:MyLanguage/Extension types (technical definitions)|types of extensions]], allowing each type to access the full power of the Joomla! installer.&lt;br /&gt;
&lt;br /&gt;
==Naming conventions==&lt;br /&gt;
The file must be named &amp;lt;tt&amp;gt;manifest.xml&amp;lt;/tt&amp;gt; or &amp;lt;tt&amp;gt;&amp;lt;extension_name&amp;gt;.xml&amp;lt;/tt&amp;gt; and located in the root directory of the installation package.&lt;br /&gt;
&lt;br /&gt;
==Syntax==&lt;br /&gt;
&lt;br /&gt;
=== Root element ===&lt;br /&gt;
The primary tag of the installation file is: &lt;br /&gt;
&amp;lt;source lang=xml&amp;gt;&amp;lt;extension&amp;gt;&amp;lt;/extension&amp;gt;&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This starting and closing tags are now valid for all extensions. The new tag &amp;lt;code&amp;gt;&amp;lt;extension&amp;gt;&amp;lt;/code&amp;gt; replaces the old &amp;lt;code&amp;gt;&amp;lt;install&amp;gt;&amp;lt;/install&amp;gt;&amp;lt;/code&amp;gt; from Joomla {{JVer|1.5}}. The following attributes are allowed within the tag:&lt;br /&gt;
&lt;br /&gt;
{|class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
|-&lt;br /&gt;
! style=&amp;quot;width: 150px&amp;quot; | Attribute || style=&amp;quot;width: 150px&amp;quot; | Values || Applicable&amp;amp;nbsp;to || Description&lt;br /&gt;
|-&lt;br /&gt;
| type || &amp;lt;code&amp;gt;component&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;file&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;language&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;library&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;module&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;package&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;plugin&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;template&amp;lt;/code&amp;gt; || All extensions&lt;br /&gt;
| This attribute describes the type of the extension for the installer. Based on this type further requirements to sub-tags apply.&lt;br /&gt;
|-&lt;br /&gt;
| version&lt;br /&gt;
| &amp;lt;code&amp;gt;2.5&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;3.0&amp;lt;/code&amp;gt; || All extensions&lt;br /&gt;
| String that identifies the version of Joomla for which this extension is developed.&lt;br /&gt;
|-&lt;br /&gt;
| method&lt;br /&gt;
| &amp;lt;code&amp;gt;install&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;upgrade&amp;lt;/code&amp;gt; || All extensions&lt;br /&gt;
| The default value &amp;lt;code&amp;gt;install&amp;lt;/code&amp;gt; will be also used if the method attribute is not used. The &amp;lt;code&amp;gt;install&amp;lt;/code&amp;gt; value means the installer will gracefully stop if it finds any existing file/folder of the new extension.&lt;br /&gt;
|-&lt;br /&gt;
| client&lt;br /&gt;
| &amp;lt;code&amp;gt;site&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;administrator&amp;lt;/code&amp;gt; || Modules&lt;br /&gt;
| The client attribute allows you to specify for which application client the new module is available.&lt;br /&gt;
|-&lt;br /&gt;
| group&lt;br /&gt;
| &#039;&#039;string&#039;&#039; || Plugins&lt;br /&gt;
| The group name specifies for which group of plugins the new plugin is available. The existing groups are the folder names within the directory &amp;lt;tt&amp;gt;/plugins&amp;lt;/tt&amp;gt;. The installer will create new folder names for group names that do not exist yet.&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
=== Metadata ===&lt;br /&gt;
&lt;br /&gt;
The following elements can be used to insert metadata. None of these elements are required; if they are present, they must be a child of the root element.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;pre&amp;gt;&lt;br /&gt;
&amp;lt;name&amp;gt; &amp;amp;ndash; raw component name (e.g. com_banners). &lt;br /&gt;
&amp;lt;author&amp;gt; &amp;amp;ndash; author&#039;s name (e.g. Joomla! Project)&lt;br /&gt;
&amp;lt;creationDate&amp;gt; &amp;amp;ndash; date of creation or release (e.g. April 2006)&lt;br /&gt;
&amp;lt;copyright&amp;gt; &amp;amp;ndash; a copyright statement (e.g. (C) 2005 - 2011 Open Source Matters. All rights reserved.)&lt;br /&gt;
&amp;lt;license&amp;gt; &amp;amp;ndash; a license statement (e.g. NU General Public License version 2 or later; see LICENSE.txt)&lt;br /&gt;
&amp;lt;authorEmail&amp;gt; &amp;amp;ndash; author&#039;s email address (e.g. admin@joomla.org)&lt;br /&gt;
&amp;lt;authorUrl&amp;gt; &amp;amp;ndash; URL to the author&#039;s website (e.g. www.joomla.org)&lt;br /&gt;
&amp;lt;version&amp;gt; &amp;amp;ndash; the version number of the extension (e.g. 1.6.0)&lt;br /&gt;
&amp;lt;description&amp;gt; &amp;amp;ndash; the description of the component. This is a translatable field. (e.g. COM_BANNERS_XML_DESCRIPTION)&lt;br /&gt;
&amp;lt;/pre&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Note: The &amp;lt;name&amp;gt; and &amp;lt;description&amp;gt; tags are also translatable fields so that the name and description of the extension can be shown to the user in their native language.&lt;br /&gt;
&lt;br /&gt;
=== Front-end files ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;files folder=&amp;quot;from-folder&amp;quot;&amp;gt;&lt;br /&gt;
		&amp;lt;filename&amp;gt;example.php&amp;lt;/filename&amp;gt;&lt;br /&gt;
		&amp;lt;folder&amp;gt;examples&amp;lt;/folder&amp;gt;&lt;br /&gt;
	&amp;lt;/files&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Files to copy to the front-end directory should be placed in the &amp;lt;code&amp;gt;&amp;lt;files&amp;gt;&amp;lt;/code&amp;gt; element. You can use the optional &amp;lt;code&amp;gt;folder&amp;lt;/code&amp;gt; attribute to specify a directory &#039;&#039;&#039;in the ZIP package&#039;&#039;&#039; to copy &#039;&#039;&#039;from&#039;&#039;&#039;. Each file to copy must be represented by a &amp;lt;code&amp;gt;&amp;lt;filename&amp;gt;&amp;lt;/code&amp;gt; element. If you want to copy an entire folder at once, you can define it as a &amp;lt;code&amp;gt;&amp;lt;folder&amp;gt;&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
=== Media files ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;gt;&lt;br /&gt;
	&amp;lt;media folder=&amp;quot;media&amp;quot; destination=&amp;quot;com_example&amp;quot;&amp;gt;&lt;br /&gt;
		&amp;lt;filename&amp;gt;com_example_logo.png&amp;lt;/filename&amp;gt;&lt;br /&gt;
		&amp;lt;folder&amp;gt;css&amp;lt;/folder&amp;gt;&lt;br /&gt;
		&amp;lt;folder&amp;gt;js&amp;lt;/folder&amp;gt;&lt;br /&gt;
	&amp;lt;/media&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
This example will copy the file(s) (&amp;lt;tt&amp;gt;/media/com_example_logo.png&amp;lt;/tt&amp;gt;) and folders ( &amp;lt;tt&amp;gt;/media/css/&amp;lt;/tt&amp;gt; and &amp;lt;tt&amp;gt;/media/js/&amp;lt;/tt&amp;gt; ) listed to &amp;lt;tt&amp;gt;/media/com_example/&amp;lt;/tt&amp;gt;, creating the &amp;lt;tt&amp;gt;com_example&amp;lt;/tt&amp;gt; folder if required. You can use the optional &amp;lt;code&amp;gt;folder&amp;lt;/code&amp;gt; attribute to specify a directory &#039;&#039;&#039;in the ZIP package&#039;&#039;&#039; to copy &#039;&#039;&#039;from&#039;&#039;&#039; (in this case, &amp;lt;tt&amp;gt;media&amp;lt;/tt&amp;gt;).&lt;br /&gt;
&lt;br /&gt;
Extensions should be storing assets they need to be web accessible (JS, CSS, images etc) in &amp;lt;code&amp;gt;media&amp;lt;/code&amp;gt;. Amongst other things this feature was added as step in the progression to multi-site support and the eventual move of code files (PHP) out of the web accessible areas of the server.&lt;br /&gt;
&lt;br /&gt;
Ref:&lt;br /&gt;
* [https://groups.google.com/forum/#!msg/joomla-dev-cms/4CAASJqFY-k/PvPj14gP29EJ Google Groups - joomla-dev-cms thread]&lt;br /&gt;
* [https://groups.google.com/forum/#!msg/joomla-dev-cms/uNmhX98sKbE/p8p68Jke680J Google Groups - joomla-dev-cms thread]&lt;br /&gt;
&lt;br /&gt;
=== Administration section ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;administration&amp;gt;&lt;br /&gt;
		&amp;lt;!-- various elements --&amp;gt;&lt;br /&gt;
	&amp;lt;/administration&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The administration section is defined in the &amp;lt;code&amp;gt;&amp;lt;administration&amp;gt;&amp;lt;/code&amp;gt; element. Since only [[S:MyLanguage/Component|components]] apply to both the [[S:MyLanguage/Site (Application)|site]] and the [[S:MyLanguage/Administrator (Application)|administrator]], &#039;&#039;&#039;only component manifests can include this element&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
==== Back-end files ====&lt;br /&gt;
&lt;br /&gt;
Files to copy to the back-end directory should be placed in the &amp;lt;code&amp;gt;&amp;lt;files&amp;gt;&amp;lt;/code&amp;gt; element under the &amp;lt;code&amp;gt;&amp;lt;administration&amp;gt;&amp;lt;/code&amp;gt;. You can use the optional &amp;lt;code&amp;gt;folder&amp;lt;/code&amp;gt; attribute to specify a directory &#039;&#039;&#039;in the ZIP package&#039;&#039;&#039; to copy &#039;&#039;&#039;from&#039;&#039;&#039;. See &#039;&#039;Front-end files&#039;&#039; for further rules.&lt;br /&gt;
&lt;br /&gt;
==== Menu links and submenus ====&lt;br /&gt;
{{dablink|&#039;&#039;&#039;Version Note:&#039;&#039;&#039; Prior to Joomla 3.4 not having a menu tag in your XML file still led to a menu item being created. This bug was fixed in Joomla 3.4 so if no menu item was created then no admin menu item is created for the component.}}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;menu&amp;gt;COM_EXAMPLE&amp;lt;/menu&amp;gt;&lt;br /&gt;
	&amp;lt;submenu&amp;gt;&lt;br /&gt;
		&amp;lt;!--&lt;br /&gt;
			Note that all &amp;amp; must be escaped to &amp;amp;amp; for the file to be valid&lt;br /&gt;
			XML and be parsed by the installer&lt;br /&gt;
		--&amp;gt;&lt;br /&gt;
		&amp;lt;menu link=&amp;quot;anoption=avalue&amp;amp;amp;anoption1=avalue1&amp;quot;&amp;gt;COM_EXAMPLE_SUBMENU_ANOPTION&amp;lt;/menu&amp;gt;&lt;br /&gt;
		&amp;lt;menu view=&amp;quot;viewname&amp;quot;&amp;gt;COM_EXAMPLE_SUBMENU_VIEWNAME&amp;lt;/menu&amp;gt;&lt;br /&gt;
	&amp;lt;/submenu&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The text for the main menu item for the component is defined in the &amp;lt;code&amp;gt;&amp;lt;menu&amp;gt;&amp;lt;/code&amp;gt; item, a child of &amp;lt;code&amp;gt;&amp;lt;administration&amp;gt;&amp;lt;/code&amp;gt;. A &amp;lt;code&amp;gt;&amp;lt;submenu&amp;gt;&amp;lt;/code&amp;gt; element may also be present (also a child of &amp;lt;code&amp;gt;&amp;lt;administration&amp;gt;&amp;lt;/code&amp;gt;), which may contain more menu items defined by &amp;lt;code&amp;gt;&amp;lt;menu&amp;gt;&amp;lt;/code&amp;gt;.&lt;br /&gt;
&lt;br /&gt;
Additionally, each &amp;lt;code&amp;gt;&amp;lt;menu&amp;gt;&amp;lt;/code&amp;gt; item can define the following attributes:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! style=&amp;quot;width: 150px&amp;quot; | Attribute || Description&lt;br /&gt;
|-&lt;br /&gt;
| link || A link to send the user to when the menu item is clicked&lt;br /&gt;
|-&lt;br /&gt;
| img || The (relative) path to an image (16x16 pixels) to appear beside the menu item. &lt;br /&gt;
&amp;lt;u&amp;gt;Must be an url compatible as a file too (e.g. no spaces) !&amp;lt;/u&amp;gt;&lt;br /&gt;
|-&lt;br /&gt;
| alt ||&lt;br /&gt;
|-&lt;br /&gt;
| &#039;&#039;string&#039;&#039; || An URL parameter to add to the link.  For example, &amp;lt;code&amp;gt;&amp;lt;menu view=&amp;quot;cpanel&amp;quot;&amp;gt;COM_EXAMPLE&amp;lt;/menu&amp;gt;&amp;lt;/code&amp;gt; in com_example&#039;s XML manifest would cause the URL of the menu item to be &amp;lt;tt&amp;gt;index.php?option=com_example&amp;amp;view=cpanel&amp;lt;/tt&amp;gt;.&lt;br /&gt;
|-&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
The value inside the tag is the menu&#039;s label. Unlike Joomla! 1.5, you can not use a natural language string. For example, if you would enter &amp;quot;Example Component&amp;quot; instead of COM_EXAMPLE, it would result in your component name appearing as example-component in the menu and you would be unable to provide a translation. In order to provide a translation you need to create a file named en-GB.com_example.sys.ini in administrator/languages/en-GB (you can use the manifest&#039;s &amp;lt;code&amp;gt;&amp;amp;lt;languages&amp;amp;gt;&amp;lt;/code&amp;gt; tag to copy it during installation) or in administrator/components/com_example/language/en-GB. In the latter case, you must not include the translation file in the &amp;lt;code&amp;gt;&amp;amp;lt;languages&amp;amp;gt;&amp;lt;/code&amp;gt; tag. As long as you have placed the language directory in your &amp;lt;code&amp;gt;&amp;lt;files&amp;gt;&amp;lt;/code&amp;gt; tag, it will be copied along when the component is being installed.&lt;br /&gt;
&lt;br /&gt;
The contents of that file should be:&lt;br /&gt;
&amp;lt;source&amp;gt;&lt;br /&gt;
COM_EXAMPLE=&amp;quot;Example Component&amp;quot;&lt;br /&gt;
COM_EXAMPLE_SUBMENU_ANOPTION=&amp;quot;Another Option&amp;quot;&lt;br /&gt;
COM_EXAMPLE_SUBMENU_VIEWNAME=&amp;quot;Another View&amp;quot;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Please note that the language string must be enclosed in double quotes, as per Joomla!&#039;s translation standards. Important note: Joomla! 1.6 and later sorts the Component menu items based on the actual translation of the key you supply in your XML manifest. This means that the sorting order is correct no matter what you call your translation key and no matter which language the site is being displayed in. Essentially, Joomla! 1.6 fixed the wrong sorting of the Components menu experienced under Joomla! 1.5 for the majority (non-English speaking!) of Joomla! users.&lt;br /&gt;
&lt;br /&gt;
=== Configuration ===&lt;br /&gt;
{{warning|Components &#039;&#039;&#039;do not support&#039;&#039;&#039; configuration definitions &#039;&#039;&#039;in the manifest&#039;&#039;&#039;. This is a way implemented in Joomla! 1.5. They can define configuration options for multiple levels using [[Component configuration metadata]].}}&lt;br /&gt;
The &amp;lt;code&amp;gt;&amp;lt;config&amp;gt;&amp;lt;/code&amp;gt; element, a child of the root, describes the configuration options for the extension. If applicable, the options will be shown by the appropriate Manager (Plugin Manager, Module Manager or Template Manager). &#039;&#039;&#039;Configuration options can also be defined in a separate file named &amp;lt;code&amp;gt;config.xml&amp;lt;/code&amp;gt;. Its root element should be &amp;lt;code&amp;gt;&amp;lt;config&amp;gt;&amp;lt;/code&amp;gt;.&#039;&#039;&#039;&lt;br /&gt;
&lt;br /&gt;
{{:XML JForm form definitions}}&lt;br /&gt;
&lt;br /&gt;
=== SQL ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
    &amp;lt;install&amp;gt;&lt;br /&gt;
        &amp;lt;sql&amp;gt;&lt;br /&gt;
            &amp;lt;file driver=&amp;quot;mysql&amp;quot; charset=&amp;quot;utf8&amp;quot;&amp;gt;sql/example.install.sql&amp;lt;/file&amp;gt;&lt;br /&gt;
        &amp;lt;/sql&amp;gt;&lt;br /&gt;
    &amp;lt;/install&amp;gt;&lt;br /&gt;
    &amp;lt;uninstall&amp;gt;&lt;br /&gt;
        &amp;lt;sql&amp;gt;&lt;br /&gt;
            &amp;lt;file driver=&amp;quot;mysql&amp;quot; charset=&amp;quot;utf8&amp;quot;&amp;gt;sql/example.uninstall.sql&amp;lt;/file&amp;gt;&lt;br /&gt;
        &amp;lt;/sql&amp;gt;&lt;br /&gt;
    &amp;lt;/uninstall&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
In the above example, we put the SQL files in the &amp;lt;tt&amp;gt;admin/sql&amp;lt;/tt&amp;gt; folder of the installation package. You have to include the &amp;lt;tt&amp;gt;sql&amp;lt;/tt&amp;gt; folder in the administration files (as described in &#039;&#039;Back-end files&#039;&#039;).&lt;br /&gt;
&lt;br /&gt;
You can execute SQL during the installation and/or uninstallation using the &amp;lt;code&amp;gt;&amp;lt;install&amp;gt;&amp;lt;/code&amp;gt; and &amp;lt;code&amp;gt;&amp;lt;uninstall&amp;gt;&amp;lt;/code&amp;gt; elements, respectively. A &amp;lt;code&amp;gt;&amp;lt;sql&amp;gt;&amp;lt;/code&amp;gt; element should appear as a child of these elements. &amp;lt;code&amp;gt;&amp;lt;sql&amp;gt;&amp;lt;/code&amp;gt; can contain any number of &amp;lt;code&amp;gt;&amp;lt;file&amp;gt;&amp;lt;/code&amp;gt; elements, each defining a single SQL file to execute. Their database driver types are described by the &amp;lt;code&amp;gt;driver&amp;lt;/code&amp;gt; attribute, their character sets by the &amp;lt;code&amp;gt;charset&amp;lt;/code&amp;gt; attribute.&lt;br /&gt;
&lt;br /&gt;
==== Update of the SQL schema ====&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;update&amp;gt;&lt;br /&gt;
		&amp;lt;schemas&amp;gt;&lt;br /&gt;
			&amp;lt;schemapath type=&amp;quot;mysql&amp;quot;&amp;gt;sql/updates/mysql&amp;lt;/schemapath&amp;gt;&lt;br /&gt;
			&amp;lt;schemapath type=&amp;quot;sqlsrv&amp;quot;&amp;gt;sql/updates/sqlsrv&amp;lt;/schemapath&amp;gt;&lt;br /&gt;
		&amp;lt;/schemas&amp;gt;&lt;br /&gt;
	&amp;lt;/update&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Since 1.6, there is also an &amp;lt;code&amp;gt;&amp;lt;update&amp;gt;&amp;lt;/code&amp;gt; tag, which allows you to provide a series of SQL files to update the current schema.&lt;br /&gt;
&lt;br /&gt;
=== Language files ===&lt;br /&gt;
In Joomla! 1.5, extension developers had to put extension language files in the Joomla! main language file, using the &amp;lt;languages&amp;gt;..&amp;lt;/languages&amp;gt; tag as shown below. &#039;&#039;&#039;This method can still be used in&#039;&#039;&#039; {{rarr|2.5,3.x}}.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;!-- Joomla! 1.5 language tag --&amp;gt;&lt;br /&gt;
&amp;lt;languages folder=&amp;quot;langfiles&amp;quot;&amp;gt;&lt;br /&gt;
	&amp;lt;language tag=&amp;quot;en-GB&amp;quot;&amp;gt;en-GB.com_example.ini&amp;lt;/language&amp;gt;&lt;br /&gt;
&amp;lt;/languages&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Since Joomla! 1.6 it has been encouraged placing your extension&#039;s language files in your extension folder. Joomla! will then automatically load your extension&#039;s language files.&lt;br /&gt;
&lt;br /&gt;
By storing extension language files in the extension folder, you gain the benefit of isolating and protecting your extension&#039;s language files.  For example, an administrator removes a language from their Joomla! installation. Your extension&#039;s language files will not be removed. They will remain in place and will be available if the language is installed again.&lt;br /&gt;
&lt;br /&gt;
The structure of the language folder for frontend and backend is the same. You put them in the language tag (e.g. &#039;&#039;&#039;en-GB&#039;&#039;&#039; ) of each language in your language folder i.e. &#039;&#039;&#039;language/en-GB/&#039;&#039;&#039;. You have to specify those folders in the front-end and back-end files too.&lt;br /&gt;
&lt;br /&gt;
In your manifest you simply include the &#039;&#039;&#039;&#039;language&#039;&#039;&#039;&#039; folder in your files section, the sub-directories for each language automatically be copied. Inside the &amp;lt;files&amp;gt; group you simply add a &amp;lt;folder&amp;gt; element alongside the items in the &#039;&#039;&#039;&amp;lt;files&amp;gt;&#039;&#039;&#039; group as shown in this example:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;files&amp;gt;&lt;br /&gt;
	&amp;lt;filename plugin=&amp;quot;alpha&amp;quot;&amp;gt;alpha.php&amp;lt;/filename&amp;gt;&lt;br /&gt;
	&amp;lt;folder&amp;gt;sql&amp;lt;/folder&amp;gt;&lt;br /&gt;
	&amp;lt;folder&amp;gt;language&amp;lt;/folder&amp;gt;&lt;br /&gt;
&amp;lt;/files&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
It is also notable that both ways can work together. Here is an example from core:&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
&amp;lt;files&amp;gt;&lt;br /&gt;
	&amp;lt;filename plugin=&amp;quot;languagecode&amp;quot;&amp;gt;languagecode.php&amp;lt;/filename&amp;gt;&lt;br /&gt;
	&amp;lt;filename&amp;gt;index.html&amp;lt;/filename&amp;gt;&lt;br /&gt;
	&amp;lt;folder&amp;gt;language&amp;lt;/folder&amp;gt;&lt;br /&gt;
&amp;lt;/files&amp;gt;&lt;br /&gt;
&amp;lt;languages&amp;gt;&lt;br /&gt;
	&amp;lt;language tag=&amp;quot;en-GB&amp;quot;&amp;gt;language/en-GB/en-GB.plg_system_languagecode.ini&amp;lt;/language&amp;gt;&lt;br /&gt;
	&amp;lt;language tag=&amp;quot;en-GB&amp;quot;&amp;gt;language/en-GB/en-GB.plg_system_languagecode.sys.ini&amp;lt;/language&amp;gt;&lt;br /&gt;
&amp;lt;/languages&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
The advantages of this solution are the following:&lt;br /&gt;
&lt;br /&gt;
All ini files present in the core folder have precedence over the files in the extension language/ folder.&lt;br /&gt;
For example a sys.ini file will always be loaded from core folders in back-end if it exists, except when installing an extension which contains a sys.ini file in a language folder. In that case and only that case, the sys.ini file in the extension folder will display its translated content at install time. This is very handy as a developer can have 2 sys.ini files with different contents. A description of the successful install as well as a tutorial in back-end for example.&lt;br /&gt;
&lt;br /&gt;
Also, it is much easier for a user needing an ini file for an extension that does not provide it in the language desired, to add it in the main folders. No risk for it to be deleted in case of uninstalling the extension by mistake or any other reason.&lt;br /&gt;
&lt;br /&gt;
See also:&lt;br /&gt;
*[[J2.5:Making non-core language packs|Making non-core language packs]]&lt;br /&gt;
*[[Creating language packs for extensions in Joomla 2.5]]&lt;br /&gt;
&lt;br /&gt;
During development you can turn on language debugging in the Joomla! global configuration. So you can investigate if a problems arises. As of 3.2, this is necessary to help debug as en-GB is &#039;&#039;&#039;always&#039;&#039;&#039; loaded first when not in debug mode to prevent displaying Constants.&lt;br /&gt;
&lt;br /&gt;
=== Script file ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
    &amp;lt;scriptfile&amp;gt;example.script.php&amp;lt;/scriptfile&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
An optional &#039;&#039;&#039;script file&#039;&#039;&#039; (PHP code that is run before, during and/or after installation, uninstallation and upgrading) can be defined using a &amp;lt;code&amp;gt;&amp;lt;scriptfile&amp;gt;&amp;lt;/code&amp;gt; element. This file should contain a class named &amp;quot;&amp;lt;element_name&amp;gt;InstallerScript&amp;quot; where &amp;lt;element_name&amp;gt; is the name of your extension (e.g. com_componentname, mod_modulename, etc.). Plugins requires to state the group (e.g. plgsystempluginname). Library packages do not support scriptfiles. The structure of the class is as follows:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;php&amp;quot;&amp;gt;&lt;br /&gt;
&lt;br /&gt;
class com_componentnameInstallerScript&lt;br /&gt;
{&lt;br /&gt;
	/**&lt;br /&gt;
	 * Constructor&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 */&lt;br /&gt;
	public function __construct(JAdapterInstance $adapter);&lt;br /&gt;
	&lt;br /&gt;
	/**&lt;br /&gt;
	 * Called before any type of action&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   string  $route  Which action is happening (install|uninstall|discover_install|update)&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 *&lt;br /&gt;
	 * @return  boolean  True on success&lt;br /&gt;
	 */&lt;br /&gt;
	public function preflight($route, JAdapterInstance $adapter);&lt;br /&gt;
	&lt;br /&gt;
	/**&lt;br /&gt;
	 * Called after any type of action&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   string  $route  Which action is happening (install|uninstall|discover_install|update)&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 *&lt;br /&gt;
	 * @return  boolean  True on success&lt;br /&gt;
	 */&lt;br /&gt;
	public function postflight($route, JAdapterInstance $adapter);&lt;br /&gt;
	&lt;br /&gt;
	/**&lt;br /&gt;
	 * Called on installation&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 *&lt;br /&gt;
	 * @return  boolean  True on success&lt;br /&gt;
	 */&lt;br /&gt;
	public function install(JAdapterInstance $adapter);&lt;br /&gt;
	&lt;br /&gt;
	/**&lt;br /&gt;
	 * Called on update&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 *&lt;br /&gt;
	 * @return  boolean  True on success&lt;br /&gt;
	 */&lt;br /&gt;
	public function update(JAdapterInstance $adapter);&lt;br /&gt;
	&lt;br /&gt;
	/**&lt;br /&gt;
	 * Called on uninstallation&lt;br /&gt;
	 *&lt;br /&gt;
	 * @param   JAdapterInstance  $adapter  The object responsible for running this script&lt;br /&gt;
	 */&lt;br /&gt;
	public function uninstall(JAdapterInstance $adapter);&lt;br /&gt;
}&lt;br /&gt;
&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
=== Update servers ===&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;xml&amp;quot;&amp;gt;&lt;br /&gt;
    &amp;lt;updateservers&amp;gt;&lt;br /&gt;
        &amp;lt;server type=&amp;quot;extension&amp;quot; priority=&amp;quot;1&amp;quot; name=&amp;quot;Extension Update Site&amp;quot;&amp;gt;http://example.com/extension.xml&amp;lt;/server&amp;gt;&lt;br /&gt;
        &amp;lt;server type=&amp;quot;collection&amp;quot; priority=&amp;quot;2&amp;quot; name=&amp;quot;Collection Update Site&amp;quot;&amp;gt;http://example.com/collection.xml&amp;lt;/server&amp;gt;&lt;br /&gt;
    &amp;lt;/updateservers&amp;gt;&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;br /&gt;
&lt;br /&gt;
Update servers can be defined in the &amp;lt;code&amp;gt;&amp;lt;updateservers&amp;gt;&amp;lt;/code&amp;gt; element, a child of the root. This element may contain one or more &amp;lt;code&amp;gt;&amp;lt;server&amp;gt;&amp;lt;/code&amp;gt; element, each describing a location to fetch updates from. Each &amp;lt;code&amp;gt;&amp;lt;server&amp;gt;&amp;lt;/code&amp;gt; item can define the following attributes:&lt;br /&gt;
&lt;br /&gt;
{| class=&amp;quot;wikitable&amp;quot;&lt;br /&gt;
! style=&amp;quot;width: 150px&amp;quot; | Attribute || style=&amp;quot;width: 150px&amp;quot; | Values || Description&lt;br /&gt;
|-&lt;br /&gt;
| type || &amp;lt;code&amp;gt;extension&amp;lt;/code&amp;gt;&amp;lt;br /&amp;gt;&amp;lt;code&amp;gt;collection&amp;lt;/code&amp;gt; || The update server type&lt;br /&gt;
|-&lt;br /&gt;
| priority || &#039;&#039;integer&#039;&#039; || The priority of the update server&lt;br /&gt;
|-&lt;br /&gt;
| name || &#039;&#039;string&#039;&#039; || The name of the update server&lt;br /&gt;
|}&lt;br /&gt;
&lt;br /&gt;
More info:&lt;br /&gt;
* [[J2.5:Developing a MVC Component/Adding an update server|Building a Joomla! Extension - Adding an update server]]&lt;br /&gt;
* [[J2.5:Managing Component Updates|Managing Component Updates in Joomla 2.5]]&lt;br /&gt;
&lt;br /&gt;
== Examples ==&lt;br /&gt;
For a real-life example, see [https://github.com/joomla/joomla-cms/blob/2.5.x/administrator/components/com_banners/banners.xml the manifest of the Banner component in the latest version of Joomla! 2.5].&lt;br /&gt;
&lt;br /&gt;
The Joomla testing process uses several extensions to test whether the installer works correctly. The latest versions of the manifests of these extensions are:&lt;br /&gt;
&lt;br /&gt;
* [http://svn.joomla.org/project/cms/development/trunk/tests/_data/installer_packages/com_alpha/alpha.xml com_alpha manifest]&lt;br /&gt;
* [http://svn.joomla.org/project/cms/development/trunk/tests/_data/installer_packages/mod_alpha/mod_alpha.xml mod_alpha manifest]&lt;br /&gt;
* [http://svn.joomla.org/project/cms/development/trunk/tests/_data/installer_packages/plg_system_alpha/alpha.xml plg_system_alpha manifest]&lt;br /&gt;
* [http://svn.joomla.org/project/cms/development/trunk/tests/_data/installer_packages/tpl_simple/templateDetails.xml tpl_simple manifest]&lt;br /&gt;
* [http://svn.joomla.org/project/cms/development/trunk/tests/_data/installer_packages/lng_xx-XX/xx-XX.xml lng_xx-XX manifest]&lt;br /&gt;
&lt;br /&gt;
== Contributors ==&lt;br /&gt;
*[[User:akede|Alex Kempkens]]&lt;br /&gt;
*[[User:dperaza|Daniel Peraza]]&lt;br /&gt;
*[[User:nikosdion|Nicholas K. Dionysopoulos]]&lt;br /&gt;
*[[User:mrs.siam|Prasit Gebsaap]]&lt;br /&gt;
*[[User:cppl|Craig Phillips]]&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
[[Category:Extension development]]&lt;br /&gt;
[[Category:Specifications]]&lt;br /&gt;
[[Category:Needs to be marked for translation]]&lt;/div&gt;</summary>
		<author><name>Globulopolis</name></author>
	</entry>
</feed>