Request

The Request class provides a clean, unified interface for reading incoming HTTP request data including input variables, headers, cookies, uploaded files, and URL information. CSRF protection is automatically applied when enabled in your configuration.

The Request instance is available inside your controllers via $this->request.

Input Retrieval 

These methods read values submitted with the request — from query strings, form bodies, or raw request bodies.

Retrieving a single value

Use input() to read a value from any source (GET, POST, or raw body) in one call:

<?php
// Returns the value of 'username' from any input source
$username = $this->request->input('username');

// With a default value if the key is missing
$page = $this->request->input('page', 1);

Retrieving typed values

Cast input directly to a specific type to avoid manual casting:

<?php
$id      = $this->request->integer('id');          // int
$price   = $this->request->float('price');         // float
$active  = $this->request->boolean('active');      // bool
$name    = $this->request->string('name');         // trimmed string

Retrieving by HTTP method

<?php
$name    = $this->request->post('name');        // $_POST
$search  = $this->request->get('q');            // $_GET
$title   = $this->request->put('title');        // raw body (PUT)
$bio     = $this->request->patch('bio');        // raw body (PATCH)
$confirm = $this->request->delete('confirm');   // raw body (DELETE)

Passing NULL (or no argument) returns the entire source array:

<?php
$all_post = $this->request->post();   // entire $_POST array
$all_get  = $this->request->get();    // entire $_GET array

Default values

All retrieval methods accept a $default parameter:

<?php
$sort = $this->request->get('sort', 'asc');
$qty  = $this->request->post('quantity', 1);

Fallback methods

<?php
// Checks POST first, then GET
$value = $this->request->post_get('search');

// Checks GET first, then POST
$value = $this->request->get_post('search');

All input at once

all() merges GET + POST + raw body into one array:

<?php
$data = $this->request->all();

Input method reference

Method	Signature	Description
`input()`	`input($key, $default = NULL)`	Read a value from any source (GET + POST + raw body)
`get()`	`get($index = NULL, $default = NULL)`	Read from `$_GET`
`post()`	`post($index = NULL, $default = NULL)`	Read from `$_POST`
`put()`	`put($index = NULL, $default = NULL)`	Read from raw body (PUT requests)
`patch()`	`patch($index = NULL, $default = NULL)`	Read from raw body (PATCH requests)
`delete()`	`delete($index = NULL, $default = NULL)`	Read from raw body (DELETE requests)
`post_get()`	`post_get($index = NULL)`	POST with GET fallback
`get_post()`	`get_post($index = NULL)`	GET with POST fallback
`all()`	`all()`	All input merged (GET + POST + raw body)
`integer()`	`integer($key, $default = 0)`	Input cast to `int`
`float()`	`float($key, $default = 0.0)`	Input cast to `float`
`boolean()`	`boolean($key, $default = FALSE)`	Input cast to `bool` (1/true/on/yes → TRUE)
`string()`	`string($key, $default = '')`	Input cast to trimmed `string`

Filtering Input 

Use these methods to select or exclude specific fields from the input.

<?php
// Only these keys
$data = $this->request->only(['name', 'email', 'password']);

// Everything except these keys
$data = $this->request->except(['csrf_token', '_method']);

Checking key presence

<?php
// TRUE only if ALL keys are present
if ($this->request->has(['name', 'email']))
{
    // both exist
}

// TRUE if ANY of the keys are present
if ($this->request->has_any(['token', 'api_key']))
{
    // at least one exists
}

// TRUE if present AND not empty
if ($this->request->filled('name'))
{
    // name is present and has a non-empty value
}

// TRUE if the key is missing
if ($this->request->missing('optional_field'))
{
    // not in the request
}

Method	Signature	Description
`has()`	`has($key)`	All keys present (string or array)
`has_any()`	`has_any($keys)`	At least one key present
`filled()`	`filled($key)`	Key present and value is not empty
`missing()`	`missing($key)`	Key is not in the request
`only()`	`only($keys)`	Returns array with only the listed keys
`except()`	`except($keys)`	Returns array without the listed keys

JSON & Raw Body 

For API endpoints that receive a JSON body, use these methods:

<?php
// Decode the JSON body as an associative array
$data = $this->request->json();

// As an object
$data = $this->request->json(FALSE);

// Read the raw body string
$raw = $this->request->raw_body();

Note

json() returns NULL if the body is not valid JSON. put(), patch(), and delete() also transparently decode JSON when the Content-Type is application/json.

Method	Signature	Description
`json()`	`json($assoc = TRUE)`	Decode the JSON request body
`raw_body()`	`raw_body()`	Return the raw body as a string

File Uploads 

Access uploaded files via the $_FILES superglobal through these methods:

<?php
// Check if a file was uploaded
if ($this->request->has_file('avatar'))
{
    $file = $this->request->file('avatar');
    // $file is the standard $_FILES['avatar'] array:
    // ['name', 'type', 'tmp_name', 'error', 'size']

    move_uploaded_file($file['tmp_name'], '/uploads/' . $file['name']);
}

// Get all uploaded files
$files = $this->request->files();

Method	Signature	Description
`file()`	`file($key)`	Single `$_FILES` entry, or `NULL`
`files()`	`files()`	Entire `$_FILES` array
`has_file()`	`has_file($key)`	`TRUE` if a file was actually uploaded (not just an empty field)

Cookies 

<?php
// Read a cookie
$token = $this->request->cookie('remember_token');

// Read with a default
$theme = $this->request->cookie('theme', 'light');

// Read all cookies
$all = $this->request->cookie();

// Set a cookie (expires in 7 days)
$this->request->set_cookie('remember_token', $value, 7 * 24 * 3600);

// Set with extra options
$this->request->set_cookie('prefs', $value, 3600, [
    'path'     => '/',
    'secure'   => TRUE,
    'httponly' => TRUE,
    'samesite' => 'Strict',
]);

// Delete a cookie
$this->request->delete_cookie('remember_token');

Method	Signature	Description
`cookie()`	`cookie($index = NULL, $default = NULL)`	Read a cookie value or all cookies
`set_cookie()`	`set_cookie($name, $value, $expiration, $options)`	Write a cookie with security defaults
`delete_cookie()`	`delete_cookie($name, $options = [])`	Expire a cookie immediately

Headers 

<?php
// Read a single header (case-insensitive)
$type  = $this->request->header('Content-Type');
$token = $this->request->header('Authorization');

// Check if a header is present
if ($this->request->has_header('X-Api-Key'))
{
    // header exists
}

// Read all headers as an associative array
$headers = $this->request->headers();

// Retrieve a Bearer token from the Authorization header
$token = $this->request->bearer_token();
// Returns the token string, or NULL if not a Bearer token

Method	Signature	Description
`header()`	`header($name)`	Read a single header by name
`headers()`	`headers()`	All request headers as an array
`has_header()`	`has_header($name)`	`TRUE` if the header is present
`bearer_token()`	`bearer_token()`	Bearer token from `Authorization` header, or `NULL`

HTTP Method 

<?php
$method = $this->request->method();        // 'get', 'post', etc.
$method = $this->request->method(TRUE);    // 'GET', 'POST', etc.

// Check against a specific method
if ($this->request->is_method('POST')) { ... }
if ($this->request->is_method(['PUT', 'PATCH'])) { ... }

// Convenience checkers
$this->request->is_get();
$this->request->is_post();
$this->request->is_put();
$this->request->is_patch();
$this->request->is_delete();

Note

If a POST request includes the X-HTTP-Method-Override header with a value of PUT, PATCH, or DELETE, method() will return that overridden value. This is useful for HTML forms that cannot send non-POST methods natively.

Method	Signature	Description
`method()`	`method($upper = FALSE)`	Current HTTP method as string
`is_method()`	`is_method($methods)`	Compare against one or more methods
`is_get()`	`is_get()`	`TRUE` if request is GET
`is_post()`	`is_post()`	`TRUE` if request is POST
`is_put()`	`is_put()`	`TRUE` if request is PUT
`is_patch()`	`is_patch()`	`TRUE` if request is PATCH
`is_delete()`	`is_delete()`	`TRUE` if request is DELETE

Request Type Detection 

<?php
$this->request->is_ajax();    // TRUE if X-Requested-With: XMLHttpRequest
$this->request->is_json();    // TRUE if Content-Type is application/json
$this->request->wants_json(); // TRUE if Accept header includes application/json
$this->request->is_secure();  // TRUE if request is over HTTPS
$this->request->is_mobile();  // TRUE if user agent matches a mobile device

Method	Signature	Description
`is_ajax()`	`is_ajax()`	AJAX request check via `X-Requested-With`
`is_json()`	`is_json()`	Sending JSON (`Content-Type: application/json`)
`wants_json()`	`wants_json()`	Expects JSON response (`Accept: application/json`)
`is_secure()`	`is_secure()`	Request is over HTTPS
`is_mobile()`	`is_mobile()`	User agent matches a mobile device

URL & URI 

<?php
$this->request->url();                   // https://example.com/users?page=2
$this->request->url(FALSE);              // https://example.com/users
$this->request->full_url_without_query(); // same as url(FALSE)
$this->request->uri();                   // /users?page=2
$this->request->path();                  // /users
$this->request->query_string();          // page=2
$this->request->query('page', 1);        // '2' (from query string)
$this->request->host();                  // example.com
$this->request->scheme();                // https
$this->request->port();                  // 443
$this->request->referrer();              // previous page URL or NULL

Method	Signature	Description
`url()`	`url($with_query = TRUE)`	Full URL of the current request
`full_url_without_query()`	`full_url_without_query()`	Full URL without the query string
`uri()`	`uri()`	Request URI (path + query string)
`path()`	`path()`	URI path without query string
`query_string()`	`query_string()`	Raw query string (no leading `?`)
`query()`	`query($key, $default = NULL)`	Single query string parameter
`host()`	`host()`	Hostname without port
`scheme()`	`scheme()`	`http` or `https`
`port()`	`port()`	Server port as integer
`referrer()`	`referrer()`	`Referer` header value or `NULL`

IP Address 

<?php
// Direct IP (default, safe)
$ip = $this->request->ip_address();

// Trust proxy headers (only on servers behind a known proxy)
$ip = $this->request->ip_address(TRUE);

// Validate an IP
$this->request->valid_ip('192.168.1.1');           // TRUE
$this->request->valid_ip('192.168.1.1', 'ipv4');   // TRUE
$this->request->valid_ip('::1', 'ipv6');           // TRUE
$this->request->valid_ip('not-an-ip');             // FALSE

Warning

Only pass TRUE to ip_address() if your application is running behind a trusted reverse proxy. Trusting client-supplied headers without verification can allow IP spoofing.

Method	Signature	Description
`ip_address()`	`ip_address($trust_proxy = FALSE)`	Client IP address
`valid_ip()`	`valid_ip($ip, $which = '')`	Validate an IP (`ipv4`, `ipv6`, or any)

Miscellaneous 

<?php
$ua   = $this->request->user_agent();  // User-Agent string or NULL
$srv  = $this->request->server('SERVER_NAME');  // $_SERVER value
$all  = $this->request->server();               // entire $_SERVER array

Method	Signature	Description
`user_agent()`	`user_agent()`	`HTTP_USER_AGENT` string or `NULL`
`server()`	`server($index = NULL)`	Single `$_SERVER` value or entire array

Tips and Best Practices 

Use input() for general-purpose reads; use post() / get() only when the source matters.
Always use typed helpers (integer(), boolean(), string()) before passing values to models or queries.
Use only() when passing request data directly to a model to avoid mass-assignment vulnerabilities.
Prefer filled() over has() when an empty string should also be treated as absent.
Use bearer_token() for API authentication — never read the Authorization header manually.
Never trust ip_address(TRUE) unless you control the proxy in front of your application.
Use is_json() to detect API clients and wants_json() to decide the response format.