Getting data from web forms is the single riskiest action in a web application. Unfortunately, it's also the single most useful function in a web application.
We've already seen that Moodle helps with form data by escaping quoted strings that come in through the form $_GET
and $_POST
constructs. However, you don't ever need to access these constructs directly in Moodle and, in fact, shouldn't. Instead, either build all of your data input forms using the Moodle formslib library or use the required_param
and optional_param
functions.
Both formslib and the param
functions use defined parameters to help control and limit what is entered to what you expect. We will explain how these are used in subsequent paragraphs. However, for reference, the following are some of the most used parameters (all constants are defined in moodlelib.php
):
PARAM_INT, PARAM_INTEGER:
Integers only, use when expecting only numbers.PARAM_NUMBER:
A real/floating point number.PARAM_ALPHA:
Contains only...