Request

The Io library provides access to HTTP request data including POST, GET, cookies, server variables, IP addresses, and request method detection.

It is available in controllers via $this->io.

CSRF Protection

If csrf_protection is enabled in your config, csrf_validate() runs automatically on every request when the Io class is instantiated. No manual call is needed.

<?php
// app/config/config.php
$config['csrf_protection'] = TRUE;

Reading POST Data

Get a single POST value:

<?php
$name = $this->request->post('name');

Get all POST values:

<?php
$data = $this->request->post();
// Returns: ['name' => 'Alice', 'email' => 'alice@example.com', ...]

Reading GET Data

Get a single GET value:

<?php
$page = $this->request->get('page');

Get all GET values:

<?php
$params = $this->request->get();
// Returns: ['page' => '2', 'sort' => 'asc', ...]

POST + GET Combined

Use these when a value may come from either POST or GET.

post_get — checks POST first, falls back to GET:

<?php
$value = $this->request->post_get('search');

get_post — checks GET first, falls back to POST:

<?php
$value = $this->request->get_post('search');

Reading Cookies

Get a single cookie value:

<?php
$token = $this->request->cookie('remember_token');

Get all cookies:

<?php
$cookies = $this->request->cookie();

Setting Cookies

<?php
// Simple cookie (expires at end of session)
$this->request->set_cookie('username', 'alice');

// Cookie that expires in 1 hour
$this->request->set_cookie('username', 'alice', 3600);

// Cookie with custom options
$this->request->set_cookie('username', 'alice', 3600, [
    'path'     => '/',
    'domain'   => '.example.com',
    'secure'   => TRUE,
    'httponly' => TRUE,
    'samesite' => 'Strict',
]);

Note

Options not provided in the $options array are automatically filled from your config values (cookie_path, cookie_domain, cookie_secure, etc.).

set_cookie() Parameters

Parameter	Type	Default	Description
$name	string	—	Cookie name (config prefix is prepended automatically)
$value	string	''	Cookie value
$expiration	int	0	Lifetime in seconds from now. 0 = session cookie. Negative values expire immediately.
$options	array	[]	Override any of: prefix, path, domain, secure, httponly, samesite

Reading Server Variables

Get a single server variable:

<?php
$host = $this->request->server('HTTP_HOST');
$uri  = $this->request->server('REQUEST_URI');

Get all server variables:

<?php
$server = $this->request->server();

Request Method

Returns the current HTTP request method.

<?php
// Lowercase (default)
$method = $this->request->method();       // 'get', 'post', 'put', etc.

// Uppercase
$method = $this->request->method(TRUE);   // 'GET', 'POST', 'PUT', etc.

Practical example — method-based branching:

<?php
public function form()
{
    if ($this->request->method() === 'post') {
        $name = $this->request->post('name');
        // handle form submission
    } else {
        $this->call->view('form/create');
    }
}

IP Address

Get the client IP address:

<?php
$ip = $this->request->ip_address();

Note

ip_address() checks HTTP_X_FORWARDED_FOR, HTTP_CLIENT_IP, and HTTP_X_REAL_IP in order before falling back to REMOTE_ADDR. Only values that pass FILTER_VALIDATE_IP are accepted from proxy headers.

Validate an IP address:

<?php
// Validate any IP (v4 or v6)
$valid = $this->request->valid_ip('192.168.1.1');           // true

// Validate IPv4 only
$valid = $this->request->valid_ip('192.168.1.1', 'ipv4');   // true

// Validate IPv6 only
$valid = $this->request->valid_ip('::1', 'ipv6');            // true

valid_ip() Parameters

Parameter	Type	Default	Description
$ip	string	—	IP address to validate
$which	string	''	Protocol to enforce: 'ipv4', 'ipv6', or '' (any)

AJAX Detection

Returns TRUE if the current request was made via XMLHttpRequest.

<?php
if ($this->request->is_ajax()) {
    $this->request->send_json(['status' => 'ok']);
} else {
    $this->call->view('page/index');
}

Note

is_ajax() relies on the X-Requested-With: XMLHttpRequest header, which is sent automatically by most JavaScript libraries (jQuery, Axios, etc.) but not by native fetch() unless you set the header manually.

Method Reference

Method	Returns	Description
post($index)	string|array	Returns a single POST value or all POST data
get($index)	string|array	Returns a single GET value or all GET data
post_get($index)	string	Checks POST first, then GET
get_post($index)	string	Checks GET first, then POST
cookie($index)	string|array	Returns a single cookie value or all cookies
set_cookie($name, $value, $exp, $opts)	void	Sets a cookie with optional config-backed defaults
server($index)	string|array	Returns a single $_SERVER value or all server data
method($upper)	string	Returns the HTTP request method in lower or upper case
ip_address()	string	Returns the client IP address
valid_ip($ip, string $which)	bool	Validates an IP address (optionally enforces IPv4 or IPv6)
is_ajax()	bool	Returns TRUE if the request is an XMLHttpRequest