在Joomla！中，您从不直接访问任何超全局变量.另外，您应始终区分传入和传出的数据.因此，要从请求中获取传入值，请使用

In Joomla!, you never directly access any of the superglobals. Also, you should alway distinguish incoming and outcoming data. Thus, to get the incoming value from the request, use

$password = $jinput->get('pwd', '', 'STRING');

(JInput是正确的选择；不推荐使用JRequest，以后将其删除.) 现在，您可以使用一个干净的价值.准备使用PHP进行处理.

(JInput is the right choice; JRequest is deprecated and will be removed in the future.) Now you have a clean value to work with. It is prepared to be handled with PHP.

接下来的事情是在SQL查询中使用该值(传出)，您必须正确地对其进行转义.

The next thing is to use the value in an SQL query (outgoing), you have to escape it properly.

$query->where("username = " . $db->quote($loginUsername) . " AND password = " . $db->quote($loginPassword) . " AND state > -1");

$db->quote()与$db->escape()有所不同，$db->quote()添加了基础数据库引擎所需的引号.

In difference to $db->escape(), $db->quote() adds the quotes required by the underlying database engine.

好吧，您可能在某个时候想要另一种类型的输出，例如.在视图中(即使 password 对于本示例而言并非***选择，我还是出于一致性考虑使用它):

Well, you might at some point want another type of output, eg. within a view (even if password is not best for this example, I use it for consistency):

echo $this->escape($password); // applies html_specialchars in HTML views

因此，优良作法总是始终使逃逸尽可能地靠近需要的地方.对于传入数据，它紧接在检索之后；对于传出数据，紧接在发送/打印之前.

Therefor it is good practice always to keep escaping as close at possible to where it is needed. For incoming data this is immediately after the retrieval, for outgoing data immediately before sending/printing.