Is JRequest::getVar('Variable') is safe or not in joomla?

Question

i want to know whether JRequest::getVar() function is good enough to prevent sql injection or XSS or it must be better to use some other things to prevent XSS or sql injection in joomla sites.

Answer 1

Assuming you are developing for Joomla 2.5+, you are not supposed to use JRequest anymore as it's deprecated.

New way of getting request variables is like this:

$jinput = JFactory::getApplication()->input;
// expecting integer, default 0
$user_id = $jinput->post->get('user_id', 0, 'INT');
// expecting string, default empty string
$user_name = $jinput->post->get('user_name', '', 'STRING')

Third parameter for $jinput is filter, so if you know you want e.g. integer to be returned, set appropriate filter.

Note that for using JInput, magic quotes must be turned off.

To protect from sql injection, use

$db = JFactory::getDbo();
// $value is not safe
$value = $db->quote($value);

And against XSS

$filter = JFilterInput::getInstance();
// $value is not safe
$value = $filter->clean($value);

After reading your comments, I just want to add that there are no "bad characters" per se. Also, filtering against sql injection or xss is very different. For better understanding about filtering and escaping, reffer to The Great Escapism