JRequest::checkToken() replacement

[Cliff Ford]

I notice that JRequest::checkToken() is deprecated and is triggering Log
warnings in 1.7.2 but I can't find any information on what should be
used instead. Input does appear to have an equivalent function. Any
suggestions?

Cliff

[Nicholas K. Dionysopoulos]

Hello Cliff,

You can always do this:

if(!JRequest::getVar(JUtility::getToken(), false)) {

// CRSF check failed; show a 403

JError::raiseError('403', JText::_('Request Forbidden'));

}

You get the idea :)

Best regards,

-- 
Nicholas K. Dionysopoulos
Lead Developer, AkeebaBackup.com

--

You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To post to this group, send an email to joomla-de...@googlegroups.com.

To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.

[Cliff Ford]

JRequest::getVar() is deprecated too! And my first message should have
said 'Input does NOT have an equivalent function' [to
JRequest::checkToken()]. And Jutility::getToken() is also deprecated. So
what can we use that is not deprecated?

Cliff

Nicholas K. Dionysopoulos wrote:
> Hello Cliff,
>
> You can always do this:
>
> if(!JRequest::getVar(JUtility::getToken(), false)) {
> // CRSF check failed; show a 403
> JError::raiseError('403', JText::_('Request Forbidden'));
> }
>
> You get the idea :)
>
> Best regards,
>
> --

> *Nicholas K. Dionysopoulos*

> Lead Developer, AkeebaBackup.com
>
> On Monday, 7 November 2011 at 11:57, Cliff Ford wrote:
>
>> I notice that JRequest::checkToken() is deprecated and is triggering Log
>> warnings in 1.7.2 but I can't find any information on what should be
>> used instead. Input does appear to have an equivalent function. Any
>> suggestions?
>>
>> Cliff
>>
>> --
>> You received this message because you are subscribed to the Google
>> Groups "Joomla! General Development" group.
>> To post to this group, send an email to
>> joomla-de...@googlegroups.com

>> <mailto:joomla-de...@googlegroups.com>.

>> To unsubscribe from this group, send email to
>> joomla-dev-gene...@googlegroups.com

>> <mailto:joomla-dev-gene...@googlegroups.com>.

[Nicholas K. Dionysopoulos]

HI Cliff,

JRequest shouldn't go away any thime soon. Before this happens, we will have to use JInput throughout the MVC architecture, then update all custom code in the CMS to no longer use JRequest either. I don't expect that to be realistically feasible before Joomla! 3.1 (January 2013). Of course, that's my 2 cents, depending on my understanding of how the Platform works :)

-- 
Nicholas K. Dionysopoulos
Lead Developer, AkeebaBackup.com

[Phill Brown]

I have been using something like this

        $input = new JInput();
        $inputParts = $input->getArray(array(
            'view' => 'cmd',
            'tmpl' => 'cmd',
            'user_id' => 'int',
            'Itemid' => 'int'
        ));


You could probably add a token check in there


        $input = new JInput();
        $inputParts = $input->getArray(array(
            'view' => 'cmd',
            JUtility::getToken() => 'bool',
            'tmpl' => 'cmd',
            'user_id' => 'int',
            'Itemid' => 'int'
        ));

Regards,

Phill Brown
M  04 2481 9754
Bathurst Software Solutions
-------------------------------------------------------------------------------------------------------------------

On Mon, Nov 7, 2011 at 10:12 PM, Cliff Ford <cl...@fford.me.uk> wrote:

JRequest::getVar() is deprecated too! And my first message should have said 'Input does NOT have an equivalent function' [to JRequest::checkToken()]. And Jutility::getToken() is also deprecated. So what can we use that is not deprecated?

Cliff

Nicholas K. Dionysopoulos wrote:

Hello Cliff,

You can always do this:

if(!JRequest::getVar(JUtility::getToken(), false)) {
// CRSF check failed; show a 403
JError::raiseError('403', JText::_('Request Forbidden'));
}

You get the idea :)

Best regards,

--

*Nicholas K. Dionysopoulos*

Lead Developer, AkeebaBackup.com

On Monday, 7 November 2011 at 11:57, Cliff Ford wrote:

I notice that JRequest::checkToken() is deprecated and is triggering Log
warnings in 1.7.2 but I can't find any information on what should be
used instead. Input does appear to have an equivalent function. Any
suggestions?

Cliff

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To post to this group, send an email to joomla-dev-general@googlegroups.com <mailto:joomla-dev-general@googlegroups.com>.
To unsubscribe from this group, send email to joomla-dev-general+unsub...@googlegroups.com <mailto:joomla-dev-general+unsub...@googlegroups.com>.

For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To post to this group, send an email to joomla-dev-general@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-general+unsub...@googlegroups.com.

For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.

--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To post to this group, send an email to joomla-dev-general@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-general+unsub...@googlegroups.com.

[ced1870]

hi
I'lm reading this with interest, and I have one question : where did
you find the information that JRequest is now deprecated in 1.7 ??
Regards
CEd

> >> if(!JRequest::getVar(JUtility:**:getToken(), false)) {

> >> // CRSF check failed; show a 403
> >> JError::raiseError('403', JText::_('Request Forbidden'));
> >> }
>
> >> You get the idea :)
>
> >> Best regards,
>
> >> --
> >> *Nicholas K. Dionysopoulos*
>
> >> Lead Developer, AkeebaBackup.com
>
> >> On Monday, 7 November 2011 at 11:57, Cliff Ford wrote:
>
> >>  I notice that JRequest::checkToken() is deprecated and is triggering Log
> >>> warnings in 1.7.2 but I can't find any information on what should be
> >>> used instead. Input does appear to have an equivalent function. Any
> >>> suggestions?
>
> >>> Cliff
>
> >>> --
> >>> You received this message because you are subscribed to the Google
> >>> Groups "Joomla! General Development" group.

> >>> To post to this group, send an email to joomla-dev-general@**
> >>> googlegroups.com <joomla-de...@googlegroups.com> <mailto:
> >>> joomla-dev-general@**googlegroups.com<joomla-de...@googlegroups.com>
> >>> >.
> >>> To unsubscribe from this group, send email to joomla-dev-general+**
> >>> unsub...@googlegroups.com<joomla-dev-general%2Bunsu...@googlegroups.com><mailto:
> >>> joomla-dev-general+**unsub...@googlegroups.com<joomla-dev-general%2Bunsu...@googlegroups.com>
> >>> >.
>
> >>> For more options, visit this group athttp://groups.google.com/**
> >>> group/joomla-dev-general?hl=**en-GB<http://groups.google.com/group/joomla-dev-general?hl=en-GB>
> >>> .

>
> >> --
> >> You received this message because you are subscribed to the Google Groups
> >> "Joomla! General Development" group.

> >> To post to this group, send an email to joomla-dev-general@**
> >> googlegroups.com <joomla-de...@googlegroups.com>.
> >> To unsubscribe from this group, send email to joomla-dev-general+**
> >> unsub...@googlegroups.com<joomla-dev-general%2Bunsu...@googlegroups.com>
> >> .
> >> For more options, visit this group athttp://groups.google.com/**
> >> group/joomla-dev-general?hl=**en-GB<http://groups.google.com/group/joomla-dev-general?hl=en-GB>
> >> .

>
> > --
> > You received this message because you are subscribed to the Google Groups
> > "Joomla! General Development" group.

> > To post to this group, send an email to joomla-dev-general@**
> > googlegroups.com <joomla-de...@googlegroups.com>.
> > To unsubscribe from this group, send email to joomla-dev-general+**
> > unsub...@googlegroups.com<joomla-dev-general%2Bunsu...@googlegroups.com>
> > .
> > For more options, visit this group athttp://groups.google.com/**
> > group/joomla-dev-general?hl=**en-GB<http://groups.google.com/group/joomla-dev-general?hl=en-GB>
> > .

[Cliff Ford]

I was stepping through the code with the debugger and came across calls
to log deprecation warnings. The following is line 36 of
libraries/joomla/environment/request.php in my 1.7.2 development
installation (just by way of example):

* @deprecated 12.1 Get the JInput object from the application instead

Cliff

[ced1870]

ok ! thank you
but in the doc (wiki) there is no information about this, and the
Jinput method is only documented for the platform, not for joomla 1.6
or 1.7 ...
that's strange
CEd

[rolandd]

Also have a look at this wiki page.

[ced1870]

oh, really interesting article ! thank you, I just noticed that
point :
"chose to release a 1.7.1 that included this so developers can use it
now. Otherwise, at this point in time, it is best to still use
JRequest."

so for now, I'm going to keep my JRequest use ;)
CEd

On 8 nov, 06:17, rolandd <rdalmul...@gmail.com> wrote:
> Also have a look at this wiki page<http://docs.joomla.org/JInput_Background_for_Joomla_Platform>
> .

[Stephen Brandon]

Just checking, now that Joomla 2.5b2 is out:

is JRequest::checkToken still deprecated?

I see that this is still used in almost every core component, and there does not seem to be an alternative. The deprecation notice in the checkToken method has been removed, but there's a deprecation notice on the entire JRequest class.

At this point I'm assuming that there is no alternative but to use it, but confirmation of this would be very useful - thanks!

Stephen

> --
> You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

> To post to this group, send an email to joomla-de...@googlegroups.com.
> To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
>

[Rouven Weßling]

You're correct. I can all but guarantee you that Joomla 3.0 will still have JRequest around (not just for this reason)

Rouven

[Mark Dexter]

+1. Mark

[elin]

All that a deprecation notice does is tell you that this is something that will be removed in the future. It is giving you advance warning. It does not tell you when, just that you should be aware and prepare. Obviously it won't be removed until all of the APIs of JRequest are supported. But in the meantime, first you should be using JInput where you can now and second people can be thinking about code contributions to finish the work of JInput and also to make things as seamless as possible when JRequest is removed.

Elin

[Mark Dexter]

In my opinion, this is a case of premature deprecation. It seems to me we should only deprecate a class when (a) we are not using it anywhere in core and (b) we have a complete replacement for all of its public methods. Neither of these conditions applies in this case. This instance seems more like "we'd like to get rid of this class some day" rather than "we are getting rid of this class and you should be using xyz instead".

Just my .02. Mark

On Wed, Jan 11, 2012 at 4:16 PM, elin <elin....@gmail.com> wrote:

All that a deprecation notice does is tell you that this is something that will be removed in the future. It is giving you advance warning. It does not tell you when, just that you should be aware and prepare. Obviously it won't be removed until all of the APIs of JRequest are supported. But in the meantime, first you should be using JInput where you can now and second people can be thinking about code contributions to finish the work of JInput and also to make things as seamless as possible when JRequest is removed.

Elin

--

You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.

To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-general/-/hcqZQUDpBSIJ.

[Rouven Weßling]

As a note since not everyone has read this yet probably:

JInput has the major issue right now that it can't deal correctly with server where magic_quotes_gpc is turned on. Extension developers need to be really careful when using JInput since stuff may break unexpectedly based on the state of that parameter.

For Joomla 3.0 we'll probably just require magic_quotes_gpc to be off.

Rouven

[Stephen Brandon]

Ok, that puts a spanner in the works again - just when I thought I was on the right track with converting all my JRequests to use JInput, but keep using JRequest::checkToken...

This problem with magic_quotes_gpc sounds like a real killer. What does it mean to be "really careful" as a developer? It actually sounds like since there's no cure for the problem, that things are going to break with magic_quotes_gpc and JInput, and there may be nothing that I can do about it as a developer. Maybe all I can do is put up big warnings for users of my extensions, if magic_quotes_gpc is set, telling people to change it?

Anyway, I really appreciate your input on this Rouven. Thanks for all the info. Can you point to any other discussions about the magic_quotes_gpc issue?

Off to revert all my latest code changes, and go back to JRequest again...

Cheers,
Stephen

[Rouven Weßling]

Starting with this beta the Joomla installation recommends that magic_quotes_gpx is off. Flashing a big warning in your extensions configuration sounds like a good step to me.

Rouven

[Alfred Vink]

How about adding:

php_value magic_quotes_gpc off

to the .htaccess file ?

Alfred

-----Oorspronkelijk bericht-----
Van: joomla-de...@googlegroups.com
[mailto:joomla-de...@googlegroups.com] Namens Rouven Weßling
Verzonden: donderdag 12 januari 2012 1:50
Aan: joomla-de...@googlegroups.com
Onderwerp: Re: [jgen] JRequest::checkToken() replacement

Rouven

--

[Rouven Weßling]

Since there are security implications when turning this off (when you have other PHP scripts that rely on magic quotes) I'd rather not do that.

Rouven

[Niels Braczek]

Am 12.01.2012 15:44, schrieb Rouven Weßling:

> Since there are security implications when turning this off (when you have other PHP scripts that rely on magic quotes) I'd rather not do that.

magic_quotes_gpc has been DEPRECATED as of PHP 5.3.0. Relying on this
feature is highly discouraged.
(http://de.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc)

Regards,
Niels

--
| http://barcamp-wk.de · 1. Barcamp Westküste 2./3. März 2012 |
| http://www.bsds.de · BSDS Braczek Software- und DatenSysteme |
| Webdesign · Webhosting · e-Commerce · Joomla! Content Management |
------------------------------------------------------------------

[Rouven Weßling]

On 12.01.2012, at 17:03, Niels Braczek wrote:

> Am 12.01.2012 15:44, schrieb Rouven Weßling:
>
>> Since there are security implications when turning this off (when you have other PHP scripts that rely on magic quotes) I'd rather not do that.
>
> magic_quotes_gpc has been DEPRECATED as of PHP 5.3.0. Relying on this
> feature is highly discouraged.
> (http://de.php.net/manual/en/info.configuration.php#ini.magic-quotes-gpc)

I'm aware of that. But just adding code to disable it to the .htaccess file (which may affect other scripts in the same folder) just doesn't sound like a thing we should do. Imagine what the user says whose server gets vulnerable because we changed a PHP setting without his knowing?

Rouven

[elin]

Exactly. .htaccess impacts everything not just Joomla. There are lots and lots of people out there with older applications they need to run.

Elin