5 files changed, 960 insertions, 0 deletions
diff --git a/phpBB/phpbb/request/deactivated_super_global.php b/phpBB/phpbb/request/deactivated_super_global.php
new file mode 100644
index 0000000000..8f39960477
--- /dev/null
+++ b/phpBB/phpbb/request/deactivated_super_global.php
@@ -0,0 +1,123 @@
+<?php
+/**
+*
+* @package \phpbb\request\request
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+namespace phpbb\request;
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* Replacement for a superglobal (like $_GET or $_POST) which calls
+* trigger_error on all operations but isset, overloads the [] operator with SPL.
+*
+* @package \phpbb\request\request
+*/
+class deactivated_super_global implements \ArrayAccess, \Countable, \IteratorAggregate
+{
+	/**
+	* @var	string	Holds the name of the superglobal this is replacing.
+	*/
+	private $name;
+
+	/**
+	* @var	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	Super global constant.
+	*/
+	private $super_global;
+
+	/**
+	* @var	\phpbb\request\request_interface	The request class instance holding the actual request data.
+	*/
+	private $request;
+
+	/**
+	* Constructor generates an error message fitting the super global to be used within the other functions.
+	*
+	* @param	\phpbb\request\request_interface	$request	A request class instance holding the real super global data.
+	* @param	string					$name		Name of the super global this is a replacement for - e.g. '_GET'.
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global	The variable's super global constant.
+	*/
+	public function __construct(\phpbb\request\request_interface $request, $name, $super_global)
+	{
+		$this->request = $request;
+		$this->name = $name;
+		$this->super_global = $super_global;
+	}
+
+	/**
+	* Calls trigger_error with the file and line number the super global was used in.
+	*/
+	private function error()
+	{
+		$file = '';
+		$line = 0;
+
+		$message = 'Illegal use of $' . $this->name . '. You must use the request class or request_var() to access input data. Found in %s on line %d. This error message was generated by deactivated_super_global.';
+
+		$backtrace = debug_backtrace();
+		if (isset($backtrace[1]))
+		{
+			$file = $backtrace[1]['file'];
+			$line = $backtrace[1]['line'];
+		}
+		trigger_error(sprintf($message, $file, $line), E_USER_ERROR);
+	}
+
+	/**
+	* Redirects isset to the correct request class call.
+	*
+	* @param	string	$offset	The key of the super global being accessed.
+	*
+	* @return	bool	Whether the key on the super global exists.
+	*/
+	public function offsetExists($offset)
+	{
+		return $this->request->is_set($offset, $this->super_global);
+	}
+
+	/**#@+
+	* Part of the \ArrayAccess implementation, will always result in a FATAL error.
+	*/
+	public function offsetGet($offset)
+	{
+		$this->error();
+	}
+
+	public function offsetSet($offset, $value)
+	{
+		$this->error();
+	}
+
+	public function offsetUnset($offset)
+	{
+		$this->error();
+	}
+	/**#@-*/
+
+	/**
+	* Part of the \Countable implementation, will always result in a FATAL error
+	*/
+	public function count()
+	{
+		$this->error();
+	}
+
+	/**
+	* Part of the Traversable/IteratorAggregate implementation, will always result in a FATAL error
+	*/
+	public function getIterator()
+	{
+		$this->error();
+	}
+}
+
diff --git a/phpBB/phpbb/request/request.php b/phpBB/phpbb/request/request.php
new file mode 100644
index 0000000000..1c388b3c73
--- /dev/null
+++ b/phpBB/phpbb/request/request.php
@@ -0,0 +1,425 @@
+<?php
+/**
+*
+* @package \phpbb\request\request
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+namespace phpbb\request;
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* All application input is accessed through this class.
+*
+* It provides a method to disable access to input data through super globals.
+* This should force MOD authors to read about data validation.
+*
+* @package \phpbb\request\request
+*/
+class request implements \phpbb\request\request_interface
+{
+	/**
+	* @var	array	The names of super global variables that this class should protect if super globals are disabled.
+	*/
+	protected $super_globals = array(
+		\phpbb\request\request_interface::POST => '_POST',
+		\phpbb\request\request_interface::GET => '_GET',
+		\phpbb\request\request_interface::REQUEST => '_REQUEST',
+		\phpbb\request\request_interface::COOKIE => '_COOKIE',
+		\phpbb\request\request_interface::SERVER => '_SERVER',
+		\phpbb\request\request_interface::FILES => '_FILES',
+	);
+
+	/**
+	* @var	array	Stores original contents of $_REQUEST array.
+	*/
+	protected $original_request = null;
+
+	/**
+	* @var
+	*/
+	protected $super_globals_disabled = false;
+
+	/**
+	* @var	array	An associative array that has the value of super global constants as keys and holds their data as values.
+	*/
+	protected $input;
+
+	/**
+	* @var	\phpbb\request\type_cast_helper_interface	An instance of a type cast helper providing convenience methods for type conversions.
+	*/
+	protected $type_cast_helper;
+
+	/**
+	* Initialises the request class, that means it stores all input data in {@link $input input}
+	* and then calls {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
+	*/
+	public function __construct(\phpbb\request\type_cast_helper_interface $type_cast_helper = null, $disable_super_globals = true)
+	{
+		if ($type_cast_helper)
+		{
+			$this->type_cast_helper = $type_cast_helper;
+		}
+		else
+		{
+			$this->type_cast_helper = new \phpbb\request\type_cast_helper();
+		}
+
+		foreach ($this->super_globals as $const => $super_global)
+		{
+			$this->input[$const] = isset($GLOBALS[$super_global]) ? $GLOBALS[$super_global] : array();
+		}
+
+		// simulate request_order = GP
+		$this->original_request = $this->input[\phpbb\request\request_interface::REQUEST];
+		$this->input[\phpbb\request\request_interface::REQUEST] = $this->input[\phpbb\request\request_interface::POST] + $this->input[\phpbb\request\request_interface::GET];
+
+		if ($disable_super_globals)
+		{
+			$this->disable_super_globals();
+		}
+	}
+
+	/**
+	* Getter for $super_globals_disabled
+	*
+	* @return	bool	Whether super globals are disabled or not.
+	*/
+	public function super_globals_disabled()
+	{
+		return $this->super_globals_disabled;
+	}
+
+	/**
+	* Disables access of super globals specified in $super_globals.
+	* This is achieved by overwriting the super globals with instances of {@link \phpbb\request\deactivated_super_global \phpbb\request\deactivated_super_global}
+	*/
+	public function disable_super_globals()
+	{
+		if (!$this->super_globals_disabled)
+		{
+			foreach ($this->super_globals as $const => $super_global)
+			{
+				unset($GLOBALS[$super_global]);
+				$GLOBALS[$super_global] = new \phpbb\request\deactivated_super_global($this, $super_global, $const);
+			}
+
+			$this->super_globals_disabled = true;
+		}
+	}
+
+	/**
+	* Enables access of super globals specified in $super_globals if they were disabled by {@link disable_super_globals disable_super_globals}.
+	* This is achieved by making the super globals point to the data stored within this class in {@link $input input}.
+	*/
+	public function enable_super_globals()
+	{
+		if ($this->super_globals_disabled)
+		{
+			foreach ($this->super_globals as $const => $super_global)
+			{
+				$GLOBALS[$super_global] = $this->input[$const];
+			}
+
+			$GLOBALS['_REQUEST'] = $this->original_request;
+
+			$this->super_globals_disabled = false;
+		}
+	}
+
+	/**
+	* This function allows overwriting or setting a value in one of the super global arrays.
+	*
+	* Changes which are performed on the super globals directly will not have any effect on the results of
+	* other methods this class provides. Using this function should be avoided if possible! It will
+	* consume twice the the amount of memory of the value
+	*
+	* @param	string	$var_name	The name of the variable that shall be overwritten
+	* @param	mixed	$value		The value which the variable shall contain.
+	* 								If this is null the variable will be unset.
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 								Specifies which super global shall be changed
+	*/
+	public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		if (!isset($this->super_globals[$super_global]))
+		{
+			return;
+		}
+
+		$this->type_cast_helper->add_magic_quotes($value);
+
+		// setting to null means unsetting
+		if ($value === null)
+		{
+			unset($this->input[$super_global][$var_name]);
+			if (!$this->super_globals_disabled())
+			{
+				unset($GLOBALS[$this->super_globals[$super_global]][$var_name]);
+			}
+		}
+		else
+		{
+			$this->input[$super_global][$var_name] = $value;
+			if (!$this->super_globals_disabled())
+			{
+				$GLOBALS[$this->super_globals[$super_global]][$var_name] = $value;
+			}
+		}
+
+		if (!$this->super_globals_disabled())
+		{
+			unset($GLOBALS[$this->super_globals[$super_global]][$var_name]);
+			$GLOBALS[$this->super_globals[$super_global]][$var_name] = $value;
+		}
+	}
+
+	/**
+	* Central type safe input handling function.
+	* All variables in GET or POST requests should be retrieved through this function to maximise security.
+	*
+	* @param	string|array	$var_name	The form variable's name from which data shall be retrieved.
+	* 										If the value is an array this may be an array of indizes which will give
+	* 										direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
+	* 										then specifying array("var", 1) as the name will return "a".
+	* @param	mixed			$default	A default value that is returned if the variable was not set.
+	* 										This function will always return a value of the same type as the default.
+	* @param	bool			$multibyte	If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
+	*										Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 										Specifies which super global should be used
+	*
+	* @return	mixed	The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
+	*					the same as that of $default. If the variable is not set $default is returned.
+	*/
+	public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		return $this->_variable($var_name, $default, $multibyte, $super_global, true);
+	}
+
+	/**
+	* Get a variable, but without trimming strings.
+	* Same functionality as variable(), except does not run trim() on strings.
+	* This method should be used when handling passwords.
+	*
+	* @param	string|array	$var_name	The form variable's name from which data shall be retrieved.
+	* 										If the value is an array this may be an array of indizes which will give
+	* 										direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
+	* 										then specifying array("var", 1) as the name will return "a".
+	* @param	mixed			$default	A default value that is returned if the variable was not set.
+	* 										This function will always return a value of the same type as the default.
+	* @param	bool			$multibyte	If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
+	*										Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 										Specifies which super global should be used
+	*
+	* @return	mixed	The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
+	*					the same as that of $default. If the variable is not set $default is returned.
+	*/
+	public function untrimmed_variable($var_name, $default, $multibyte, $super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		return $this->_variable($var_name, $default, $multibyte, $super_global, false);
+	}
+
+	/**
+	* Shortcut method to retrieve SERVER variables.
+	*
+	* Also fall back to getenv(), some CGI setups may need it (probably not, but
+	* whatever).
+	*
+	* @param	string|array	$var_name		See \phpbb\request\request_interface::variable
+	* @param	mixed			$Default		See \phpbb\request\request_interface::variable
+	*
+	* @return	mixed	The server variable value.
+	*/
+	public function server($var_name, $default = '')
+	{
+		$multibyte = true;
+
+		if ($this->is_set($var_name, \phpbb\request\request_interface::SERVER))
+		{
+			return $this->variable($var_name, $default, $multibyte, \phpbb\request\request_interface::SERVER);
+		}
+		else
+		{
+			$var = getenv($var_name);
+			$this->type_cast_helper->recursive_set_var($var, $default, $multibyte);
+			return $var;
+		}
+	}
+
+	/**
+	* Shortcut method to retrieve the value of client HTTP headers.
+	*
+	* @param	string|array	$header_name	The name of the header to retrieve.
+	* @param	mixed			$default		See \phpbb\request\request_interface::variable
+	*
+	* @return	mixed	The header value.
+	*/
+	public function header($header_name, $default = '')
+	{
+		$var_name = 'HTTP_' . str_replace('-', '_', strtoupper($header_name));
+		return $this->server($var_name, $default);
+	}
+
+	/**
+	* Shortcut method to retrieve $_FILES variables
+	*
+	* @param string $form_name The name of the file input form element
+	*
+	* @return array The uploaded file's information or an empty array if the
+	* variable does not exist in _FILES.
+	*/
+	public function file($form_name)
+	{
+		return $this->variable($form_name, array('name' => 'none'), false, \phpbb\request\request_interface::FILES);
+	}
+
+	/**
+	* Checks whether a certain variable was sent via POST.
+	* To make sure that a request was sent using POST you should call this function
+	* on at least one variable.
+	*
+	* @param	string	$name	The name of the form variable which should have a
+	*							_p suffix to indicate the check in the code that creates the form too.
+	*
+	* @return	bool			True if the variable was set in a POST request, false otherwise.
+	*/
+	public function is_set_post($name)
+	{
+		return $this->is_set($name, \phpbb\request\request_interface::POST);
+	}
+
+	/**
+	* Checks whether a certain variable is set in one of the super global
+	* arrays.
+	*
+	* @param	string	$var	Name of the variable
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	*							Specifies the super global which shall be checked
+	*
+	* @return	bool			True if the variable was sent as input
+	*/
+	public function is_set($var, $super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		return isset($this->input[$super_global][$var]);
+	}
+
+	/**
+	* Checks whether the current request is an AJAX request (XMLHttpRequest)
+	*
+	* @return	bool			True if the current request is an ajax request
+	*/
+	public function is_ajax()
+	{
+		return $this->header('X-Requested-With') == 'XMLHttpRequest';
+	}
+
+	/**
+	* Checks if the current request is happening over HTTPS.
+	*
+	* @return	bool			True if the request is secure.
+	*/
+	public function is_secure()
+	{
+		return $this->server('HTTPS') == 'on';
+	}
+
+	/**
+	* Returns all variable names for a given super global
+	*
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	*					The super global from which names shall be taken
+	*
+	* @return	array	All variable names that are set for the super global.
+	*					Pay attention when using these, they are unsanitised!
+	*/
+	public function variable_names($super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		if (!isset($this->input[$super_global]))
+		{
+			return array();
+		}
+
+		return array_keys($this->input[$super_global]);
+	}
+
+	/**
+	* Helper function used by variable() and untrimmed_variable().
+	*
+	* @param	string|array	$var_name	The form variable's name from which data shall be retrieved.
+	* 										If the value is an array this may be an array of indizes which will give
+	* 										direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
+	* 										then specifying array("var", 1) as the name will return "a".
+	* @param	mixed			$default	A default value that is returned if the variable was not set.
+	* 										This function will always return a value of the same type as the default.
+	* @param	bool			$multibyte	If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
+	*										Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 										Specifies which super global should be used
+	* @param	bool			$trim		Indicates whether trim() should be applied to string values.
+	*
+	* @return	mixed	The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
+	*					the same as that of $default. If the variable is not set $default is returned.
+	*/
+	protected function _variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST, $trim = true)
+	{
+		$path = false;
+
+		// deep direct access to multi dimensional arrays
+		if (is_array($var_name))
+		{
+			$path = $var_name;
+			// make sure at least the variable name is specified
+			if (empty($path))
+			{
+				return (is_array($default)) ? array() : $default;
+			}
+			// the variable name is the first element on the path
+			$var_name = array_shift($path);
+		}
+
+		if (!isset($this->input[$super_global][$var_name]))
+		{
+			return (is_array($default)) ? array() : $default;
+		}
+		$var = $this->input[$super_global][$var_name];
+
+		if ($path)
+		{
+			// walk through the array structure and find the element we are looking for
+			foreach ($path as $key)
+			{
+				if (is_array($var) && isset($var[$key]))
+				{
+					$var = $var[$key];
+				}
+				else
+				{
+					return (is_array($default)) ? array() : $default;
+				}
+			}
+		}
+
+		$this->type_cast_helper->recursive_set_var($var, $default, $multibyte, $trim);
+
+		return $var;
+	}
+
+	/**
+	* {@inheritdoc}
+	*/
+	public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST)
+	{
+		return $this->input[$super_global];
+	}
+}
diff --git a/phpBB/phpbb/request/request_interface.php b/phpBB/phpbb/request/request_interface.php
new file mode 100644
index 0000000000..cd949147f7
--- /dev/null
+++ b/phpBB/phpbb/request/request_interface.php
@@ -0,0 +1,151 @@
+<?php
+/**
+*
+* @package \phpbb\request\request
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+namespace phpbb\request;
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* An interface through which all application input can be accessed.
+*
+* @package \phpbb\request\request
+*/
+interface request_interface
+{
+	/**#@+
+	* Constant identifying the super global with the same name.
+	*/
+	const POST = 0;
+	const GET = 1;
+	const REQUEST = 2;
+	const COOKIE = 3;
+	const SERVER = 4;
+	const FILES = 5;
+	/**#@-*/
+
+	/**
+	* This function allows overwriting or setting a value in one of the super global arrays.
+	*
+	* Changes which are performed on the super globals directly will not have any effect on the results of
+	* other methods this class provides. Using this function should be avoided if possible! It will
+	* consume twice the the amount of memory of the value
+	*
+	* @param	string	$var_name	The name of the variable that shall be overwritten
+	* @param	mixed	$value		The value which the variable shall contain.
+	* 								If this is null the variable will be unset.
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 								Specifies which super global shall be changed
+	*/
+	public function overwrite($var_name, $value, $super_global = \phpbb\request\request_interface::REQUEST);
+
+	/**
+	* Central type safe input handling function.
+	* All variables in GET or POST requests should be retrieved through this function to maximise security.
+	*
+	* @param	string|array	$var_name	The form variable's name from which data shall be retrieved.
+	* 										If the value is an array this may be an array of indizes which will give
+	* 										direct access to a value at any depth. E.g. if the value of "var" is array(1 => "a")
+	* 										then specifying array("var", 1) as the name will return "a".
+	* @param	mixed			$default	A default value that is returned if the variable was not set.
+	* 										This function will always return a value of the same type as the default.
+	* @param	bool			$multibyte	If $default is a string this paramater has to be true if the variable may contain any UTF-8 characters
+	*										Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	* 										Specifies which super global should be used
+	*
+	* @return	mixed	The value of $_REQUEST[$var_name] run through {@link set_var set_var} to ensure that the type is the
+	*					the same as that of $default. If the variable is not set $default is returned.
+	*/
+	public function variable($var_name, $default, $multibyte = false, $super_global = \phpbb\request\request_interface::REQUEST);
+
+	/**
+	* Shortcut method to retrieve SERVER variables.
+	*
+	* @param	string|array	$var_name		See \phpbb\request\request_interface::variable
+	* @param	mixed			$default		See \phpbb\request\request_interface::variable
+	*
+	* @return	mixed	The server variable value.
+	*/
+	public function server($var_name, $default = '');
+
+	/**
+	* Shortcut method to retrieve the value of client HTTP headers.
+	*
+	* @param	string|array	$header_name	The name of the header to retrieve.
+	* @param	mixed			$default		See \phpbb\request\request_interface::variable
+	*
+	* @return	mixed	The header value.
+	*/
+	public function header($var_name, $default = '');
+
+	/**
+	* Checks whether a certain variable was sent via POST.
+	* To make sure that a request was sent using POST you should call this function
+	* on at least one variable.
+	*
+	* @param	string	$name	The name of the form variable which should have a
+	*							_p suffix to indicate the check in the code that creates the form too.
+	*
+	* @return	bool			True if the variable was set in a POST request, false otherwise.
+	*/
+	public function is_set_post($name);
+
+	/**
+	* Checks whether a certain variable is set in one of the super global
+	* arrays.
+	*
+	* @param	string	$var	Name of the variable
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	*							Specifies the super global which shall be checked
+	*
+	* @return	bool			True if the variable was sent as input
+	*/
+	public function is_set($var, $super_global = \phpbb\request\request_interface::REQUEST);
+
+	/**
+	* Checks whether the current request is an AJAX request (XMLHttpRequest)
+	*
+	* @return	bool			True if the current request is an ajax request
+	*/
+	public function is_ajax();
+
+	/**
+	* Checks if the current request is happening over HTTPS.
+	*
+	* @return	bool			True if the request is secure.
+	*/
+	public function is_secure();
+
+	/**
+	* Returns all variable names for a given super global
+	*
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	*					The super global from which names shall be taken
+	*
+	* @return	array	All variable names that are set for the super global.
+	*					Pay attention when using these, they are unsanitised!
+	*/
+	public function variable_names($super_global = \phpbb\request\request_interface::REQUEST);
+
+	/**
+	* Returns the original array of the requested super global
+	*
+	* @param	\phpbb\request\request_interface::POST|GET|REQUEST|COOKIE	$super_global
+	*					The super global which will be returned
+	*
+	* @return	array	The original array of the requested super global.
+	*/
+	public function get_super_global($super_global = \phpbb\request\request_interface::REQUEST);
+}
diff --git a/phpBB/phpbb/request/type_cast_helper.php b/phpBB/phpbb/request/type_cast_helper.php
new file mode 100644
index 0000000000..262aff73c1
--- /dev/null
+++ b/phpBB/phpbb/request/type_cast_helper.php
@@ -0,0 +1,196 @@
+<?php
+/**
+*
+* @package \phpbb\request\request
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+namespace phpbb\request;
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* A helper class that provides convenience methods for type casting.
+*
+* @package \phpbb\request\request
+*/
+class type_cast_helper implements \phpbb\request\type_cast_helper_interface
+{
+
+	/**
+	* @var	string	Whether slashes need to be stripped from input
+	*/
+	protected $strip;
+
+	/**
+	* Initialises the type cast helper class.
+	* All it does is find out whether magic quotes are turned on.
+	*/
+	public function __construct()
+	{
+		if (version_compare(PHP_VERSION, '5.4.0-dev', '>='))
+		{
+			$this->strip = false;
+		}
+		else
+		{
+			$this->strip = (@get_magic_quotes_gpc()) ? true : false;
+		}
+	}
+
+	/**
+	* Recursively applies addslashes to a variable.
+	*
+	* @param	mixed	&$var	Variable passed by reference to which slashes will be added.
+	*/
+	public function addslashes_recursively(&$var)
+	{
+		if (is_string($var))
+		{
+			$var = addslashes($var);
+		}
+		else if (is_array($var))
+		{
+			$var_copy = $var;
+			$var = array();
+			foreach ($var_copy as $key => $value)
+			{
+				if (is_string($key))
+				{
+					$key = addslashes($key);
+				}
+				$var[$key] = $value;
+
+				$this->addslashes_recursively($var[$key]);
+			}
+		}
+	}
+
+	/**
+	* Recursively applies addslashes to a variable if magic quotes are turned on.
+	*
+	* @param	mixed	&$var	Variable passed by reference to which slashes will be added.
+	*/
+	public function add_magic_quotes(&$var)
+	{
+		if ($this->strip)
+		{
+			$this->addslashes_recursively($var);
+		}
+	}
+
+	/**
+	* Set variable $result to a particular type.
+	*
+	* @param mixed	&$result		The variable to fill
+	* @param mixed	$var			The contents to fill with
+	* @param mixed	$type			The variable type. Will be used with {@link settype()}
+	* @param bool	$multibyte		Indicates whether string values may contain UTF-8 characters.
+	* 								Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks.
+	* @param bool	$trim			Indicates whether trim() should be applied to string values.
+	* 								Default is true.
+	*/
+	public function set_var(&$result, $var, $type, $multibyte = false, $trim = true)
+	{
+		settype($var, $type);
+		$result = $var;
+
+		if ($type == 'string')
+		{
+			$result = str_replace(array("\r\n", "\r", "\0"), array("\n", "\n", ''), $result);
+
+			if ($trim)
+			{
+				$result = trim($result);
+			}
+
+			$result = htmlspecialchars($result, ENT_COMPAT, 'UTF-8');
+
+			if ($multibyte)
+			{
+				$result = utf8_normalize_nfc($result);
+			}
+
+			if (!empty($result))
+			{
+				// Make sure multibyte characters are wellformed
+				if ($multibyte)
+				{
+					if (!preg_match('/^./u', $result))
+					{
+						$result = '';
+					}
+				}
+				else
+				{
+					// no multibyte, allow only ASCII (0-127)
+					$result = preg_replace('/[\x80-\xFF]/', '?', $result);
+				}
+			}
+
+			$result = ($this->strip) ? stripslashes($result) : $result;
+		}
+	}
+
+	/**
+	* Recursively sets a variable to a given type using {@link set_var set_var}
+	*
+	* @param	string	$var		The value which shall be sanitised (passed by reference).
+	* @param	mixed	$default	Specifies the type $var shall have.
+	* 								If it is an array and $var is not one, then an empty array is returned.
+	* 								Otherwise var is cast to the same type, and if $default is an array all
+	* 								keys and values are cast recursively using this function too.
+	* @param	bool	$multibyte	Indicates whether string keys and values may contain UTF-8 characters.
+	* 								Default is false, causing all bytes outside the ASCII range (0-127) to
+	* 								be replaced with question marks.
+	* @param	bool	$trim		Indicates whether trim() should be applied to string values.
+	* 								Default is true.
+	*/
+	public function recursive_set_var(&$var, $default, $multibyte, $trim = true)
+	{
+		if (is_array($var) !== is_array($default))
+		{
+			$var = (is_array($default)) ? array() : $default;
+			return;
+		}
+
+		if (!is_array($default))
+		{
+			$type = gettype($default);
+			$this->set_var($var, $var, $type, $multibyte, $trim);
+		}
+		else
+		{
+			// make sure there is at least one key/value pair to use get the
+			// types from
+			if (empty($default))
+			{
+				$var = array();
+				return;
+			}
+
+			list($default_key, $default_value) = each($default);
+			$value_type = gettype($default_value);
+			$key_type = gettype($default_key);
+
+			$_var = $var;
+			$var = array();
+
+			foreach ($_var as $k => $v)
+			{
+				$this->set_var($k, $k, $key_type, $multibyte);
+
+				$this->recursive_set_var($v, $default_value, $multibyte, $trim);
+				$var[$k] = $v;
+			}
+		}
+	}
+}
diff --git a/phpBB/phpbb/request/type_cast_helper_interface.php b/phpBB/phpbb/request/type_cast_helper_interface.php
new file mode 100644
index 0000000000..e8195c352e
--- /dev/null
+++ b/phpBB/phpbb/request/type_cast_helper_interface.php
@@ -0,0 +1,65 @@
+<?php
+/**
+*
+* @package \phpbb\request\request
+* @copyright (c) 2010 phpBB Group
+* @license http://opensource.org/licenses/gpl-2.0.php GNU General Public License v2
+*
+*/
+
+namespace phpbb\request;
+
+/**
+* @ignore
+*/
+if (!defined('IN_PHPBB'))
+{
+	exit;
+}
+
+/**
+* An interface for type cast operations.
+*
+* @package \phpbb\request\request
+*/
+interface type_cast_helper_interface
+{
+	/**
+	* Recursively applies addslashes to a variable.
+	*
+	* @param	mixed	&$var	Variable passed by reference to which slashes will be added.
+	*/
+	public function addslashes_recursively(&$var);
+
+	/**
+	* Recursively applies addslashes to a variable if magic quotes are turned on.
+	*
+	* @param	mixed	&$var	Variable passed by reference to which slashes will be added.
+	*/
+	public function add_magic_quotes(&$var);
+
+	/**
+	* Set variable $result to a particular type.
+	*
+	* @param mixed	&$result	The variable to fill
+	* @param mixed	$var		The contents to fill with
+	* @param mixed	$type		The variable type. Will be used with {@link settype()}
+	* @param bool	$multibyte	Indicates whether string values may contain UTF-8 characters.
+	* 							Default is false, causing all bytes outside the ASCII range (0-127) to be replaced with question marks.
+	*/
+	public function set_var(&$result, $var, $type, $multibyte = false);
+
+	/**
+	* Recursively sets a variable to a given type using {@link set_var set_var}.
+	*
+	* @param	string	$var		The value which shall be sanitised (passed by reference).
+	* @param	mixed	$default	Specifies the type $var shall have.
+	* 								If it is an array and $var is not one, then an empty array is returned.
+	* 								Otherwise var is cast to the same type, and if $default is an array all
+	* 								keys and values are cast recursively using this function too.
+	* @param	bool	$multibyte	Indicates whether string keys and values may contain UTF-8 characters.
+	* 								Default is false, causing all bytes outside the ASCII range (0-127) to
+	* 								be replaced with question marks.
+	*/
+	public function recursive_set_var(&$var, $default, $multibyte);
+}