====== Checking of passed variables ======

Passing to PHP scripts can be easily manipulated by attackers. For this purpose, only the URL must be manipulated in accordance with the variable in the browser. For this reason it is very important that all passed variables are tested prior to use in the script to appropriate values.

Admidio generally handles all passed **$_GET** and **$_POST** variables with the functions [[https://secure.php.net/manual/en/function.strip-tags.php|strip_tags]] and [[https://secure.php.net/manual/en/function.addslashes.php|addslashes]]. Thus it is not possible on the one hand to put HTML code in a variable, and on other side perform SQL injection.

To test the passed variable the function **admFuncvariableIsValid ** is available. The values of passed values should then be assigned to a new local variable with the prefix **get**. Does the passed variable has the name **$_GET['headline']**, so the local variable should be named **$getHeadline**. So you can see in the code directly that the value comes from a passed variable and you handle the content optionally careful.

===== Function admFuncVariableIsValid =====

''File:'' **adm_program/system/function.php**\\ 
''Version:'' **2.3**
=== Description ===
The function checks from an array variable on plausible values. The test may be refined over more parameters.
<code php>value admFuncVariableIsValid($array, $variableName, $type, $defaultValue = null,
                             $requireValue = false, $validValues = null, $directOutput = false)</code>
=== Parameter ===
  * **array** The array (for example, $ _GET or $ _POST), which contains the variable to be tested
  * **variableName** Name of the variable from the //array// which is to be tested
  * **type** Type of the variable '' numeric '', '' string '', '' boolean '' and '' file ''. Depending on the type, different tests are made on the value of the variable and possibly output a notice if the variable does not match the type
  * **defaultValue** If no value is passed to the script for the variable, the variable is initialized with this value
  * **requireValue** Is this set to //true//, a message is shown if the variable was passed without value
  * **validValues** An array with valid values for the variable. If the passed value is not included in this array a notice is issued.
  * **directOutput** If this value is set to //true//, then an error message is not returned as an HTML page, but the error text will be output unformatted directly by **echo**.
=== Return ===
It returns the value of the variable. For texts, the function here additionally strip_tags is performed, that removes HTML tags.

=== Examples ===
<code php>// Number, which is optionally initialized to 0
$getDatId = admFuncVariableIsValid($_GET, 'dat_id', 'numeric', 0);

// Text which is optionally initialized with DAT_DATES
$getHeadline = admFuncVariableIsValid($_GET, 'headline', 'string', $gL10n->get('DAT_DATES'));

// Text which is optionally initialized with 'actual' and only the values 'actual' and 'old' must be included
$getMode = admFuncVariableIsValid($_GET, 'mode', 'string', 'actual', false, array('actual', 'old'));</code>