The _request() function is used to retrieve the values of variables sent by the site visitor, either through a URL or through a posted form.

$name = _request('name');

Security principles

These functions must not be located just anywhere amongst the SPIP files, in order to be able to carefully restrict the possible locations likely to be targeted for pirating. The elements provided by user input must only be retrievable from

  • action files (in the action/ directory),
  • the private zone display files (in the exec/ directory),
  • some very rare dynamic tag functions (in the balise/ directory), or
  • in the files that process web forms (in the formulaires/ directory).

As an additional general rule, it is necessary to verify that the variable type received is indeed in the expected format (to eliminate any risk of hacking, even if SPIP already performs a first level cleaning of input data): for example, if you expect a number, then you must apply the intval() function (which will transform any text into its numeric value):

if ($identifiant = _request('identifier')){
	$identifier = intval($identifier);

Retrieval from a table

If you want to retrieve only certain specific values that exist in a table, you can pass that table as a second parameter:

// retrieve if there is a $table['name']
$name = _request('name', $table);


Retrieve only from the values that were passed in the URL:

$name = _request('name', $_GET);

Author Mark Baber Published : Updated : 12/03/23

Translations : English, français, Nederlands