I am developing a joomla component and I want to know what is the best secure way to POST and GET data through a form submit.
<form action="index.php?<?php echo JUtility::getToken()?>=1" method="post" name="adminForm">
<input type="hidden" name="option" value="<?php echo OPTIOIN_NAME; ?>" />
<input type="hidden" name="task" value="save" />
<input type="hidden" name="controller" value="mycontroller" />
<input type="hidden" name="id" value="<?php echo $this->my_data->id; ?>" />
<?php echo JHTML::_('form.token');?>
//my code is here
</form>
model.php
function getPostData(){
if (!JRequest::checkToken('REQUEST')) {
// return 403 error
JError::raiseError(403, JText::_('ALERTNOAUTH'));
// belt and braces approach to guarantee the script stops
jexit('Invalid Token');
}
$this->_data->id = JRequest::getVar('id', 0, 'POST', 'INT');
//....
}
This is the way I am sending data and I don’t know this is a good method or not. Please Help.
I think this method you use is ok. Just one thing: if you’re getting the data from POST, I guess your token will be available in POST too, so your call to JRequest::checkToken( ‘REQUEST’ ) could be changed to JRequest::checkToken( ‘post’ ).
Another important thing is that you should always use $db->Quote() method if your manually crafting database queries using vars from request.
Finally, as Thilo said, you should use HTTPS for “critical” transactions such as payments.
I hope it helped!