Request

The $request object hands you everything about the incoming HTTP request — method, URL, headers, body, files, route placeholders — with a sanitizer for every common input shape.

Basics

$request->method;          // 'GET' | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | 'OPTIONS'
$request->ip;              // client IP
$request->https;           // bool
$request->userAgent;       // browser UA
$request->referrer;        // HTTP_REFERER

$request->url->path;       // /products/widgets
$request->url->host;       // www.example.com
$request->url->domain;     // example.com (sans www)
$request->url->full;       // https://www.example.com/products/widgets?q=1
$request->url->protocol;   // http | https

Reading input

Inputs are exposed as RequestData objects with sanitizers attached. Don't read $_GET or $_POST directly — go through the request:

$request->get;             // query string
$request->post;            // POST body (form or JSON)
$request->put;             // PUT body
$request->patch;           // PATCH body
$request->delete;          // DELETE body
$request->all;             // GET + the active method's body, merged

Sanitizers

Each input object has a sanitizer per common type. They return a clean value (or empty/zero/false on miss):

MethodReturnsNotes
int($k)intDigits only
float($k)floatDecimal numbers
bool($k)boolTruthy: 1, true, yes, on
alpha($k)stringLetters only
alphaInt($k)stringLetters and digits
name($k)stringNames with spaces, hyphens, apostrophes
email($k)stringRFC-validated
url($k)stringValidated URL
ip($k)stringv4 or v6
decimal($k)stringMoney-style numeric string
sanitize($k, $mode)string1=strip_tags, 2/3=htmlentities
escape($k)stringhtmlspecialchars
titleCase($k)string"john doe" → "John Doe"
forMetaTags($k)stringStrip newlines / quotes for meta description
 
$id    = $request->get->int('id');
$email = $request->post->email('email');
$name  = $request->post->name('full_name');
$body  = $request->post->sanitize('message', 1);   // strip tags

Quick checks

Two helpers cover most "did the user submit X?" branches:

// Pattern-match the path
if ($request->is('/admin/*')) { /* ... */ }

// Method + key presence (with optional value/callback predicate)
if ($request->has('post', 'action', 'save'))                { /* save */ }
if ($request->has('post', ['email','password']))            { /* both present */ }
if ($request->has('post', 'qty', fn($v) => (int)$v > 0))    { /* positive qty */ }

JSON bodies

POST/PUT/PATCH bodies sent as application/json are parsed automatically. Access fields the same way as form fields:

// curl -X POST -H 'Content-Type: application/json' -d '{"name":"Daniel"}' /api/users
$name = $request->post->name('name');     // 'Daniel'

Route placeholders

Captured segments live on $request->route:

$App->router->get('/users/:id', function($request) use ($App) {
    $id = (int) $request->route->id;
});

File uploads

Each upload field is exposed as an object with a move() helper:

if ($request->files->avatar->uploaded) {
    $f = $request->files->avatar;
    if (in_array($f->ext, ['jpg','png','webp'], true)) {
        $f->move(BP.'/public_html/uploads', $f->name);
    }
}

Available properties: uploaded, name, ext, mime, size, tmp_name.

Headers

$auth = $request->headers->authorization ?? '';
$ct   = $request->contentType;        // 'application/json' etc.
Previous← Groups & Middleware