1. What is a PHP filter?
PHP filters are used to validate and filter data from non-secure sources, such as user input.
Testing, validating, and filtering user input or custom data are important parts of any web application.
PHP's filter extension is designed to make data filtering easier and faster.
2. Why use filters?
Nearly all web applications rely on external input. This data usually comes from users or other applications (such as web services). By using filters, you can ensure that your application gets the correct input type.
You should always filter external data!
Input filtering is one of the most important application security topics.
What is external data?
Input data from forms
Cookies
Web services data
Server variables
Database query results
##3. Functions and filtering Filter
To filter a variable, use one of the following filter functions:filter_var() - Filters a single variable by a specified filter Variables
filter_var_array() - Filter multiple variables by the same or different filters
filter_input - Get an input variable, and filter it
filter_input_array - Get multiple input variables and filter them by the same or different filters
below In the example, we use the filter_var() function to verify an integer: the code is as follows<?php $int = 12443633; //验证一个数是不是整数 if(!filter_var($int, FILTER_VALIDATE_INT)) { echo("不是一个合法的整数"); } else { echo("是个合法的整数"); } ?>The output is shown in the picture on the right
Note: You can try other variables to observe the output
##4. Validating and Sanitizing
There are two types of filtering Filter:
Validating Filter:
5. Options and flagsOptions and flags are used to add additional filtering options.
Different filters have different options and flags.
In the example below, we validate an integer using filter_var() with the "min_range" and "max_range" options:
The code is as follows
<?php $var=300; $int_options = array( "options"=>array ( "min_range"=>0, "max_range"=>256 ) ); if(!filter_var($var, FILTER_VALIDATE_INT, $int_options)) { echo("不是一个合法的整数"); } else { echo("是个合法的整数"); } ?>
Like the code above, options must be put into a related array called "options". If using flags, they don't need to be in an array.
Since the integer is "300", which is not within the specified range, the output of the above code will be:
is not a legal integer
For a complete list of functions and filters, check out the PHP manual
6. Validate input
Let’s try Validate input from a form.
The first thing we need to do is confirm that the input data we are looking for exists.
Then we use the filter_input() function to filter the input data.
In the following example, the input variable "email" is passed to the PHP page:
<?php if(!filter_has_var(INPUT_GET, "email")) { echo("没有 email 参数"); } else { if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL)) { echo "不是一个合法的 E-Mail"; } else { echo "是一个合法的 E-Mail"; } } ?>
The above example has an input variable (email) passed through the "GET" method:
Check whether there is an "email" input variable of type "GET"
If an input variable exists, check whether it is a valid e-mail address
7. Purify input
Let us try to clean up the URL passed from the form.
First, we need to confirm that the input data we are looking for exists.
Then, we use the filter_input() function to purify the input data.
In the following example, the input variable "url" is passed to the PHP page:
<?php if(!filter_has_var(INPUT_GET, "url")) { echo("没有 url 参数"); } else { $url = filter_input(INPUT_GET, "url", FILTER_SANITIZE_URL); echo $url; } ?>
Explanation of the example:
The above example has a Input variable (url) transmitted through the "GET" method:
Detect whether there is a "GET" type "url" input variable
If this input variable exists, purify it (delete it Illegal characters) and store it in the $url variable
8. Filter multiple inputs
The form usually consists of multiple consists of input fields. To avoid repeated calls to filter_var or filter_input functions, we can use filter_var_array or the filter_input_array function.
In this example, we use the filter_input_array() function to filter three GET variables. The received GET variables are a name, an age and an e-mail address:
The example is as follows
<?php $filters = array ( "name" => array ( "filter"=>FILTER_SANITIZE_STRING ), "age" => array ( "filter"=>FILTER_VALIDATE_INT, "options"=>array ( "min_range"=>1, "max_range"=>120 ) ), "email"=> FILTER_VALIDATE_EMAIL ); $result = filter_input_array(INPUT_GET, $filters); if (!$result["age"]) { echo("年龄必须在 1 到 120 之间。<br>"); } elseif(!$result["email"]) { echo("E-Mail 不合法<br>"); } else { echo("输入正确"); } ?>
Example explanation
The above example There are three input variables (name, age, and email) passed through the "GET" method:
Sets an array containing the name of the input variable and the value for the specified input variable. Filter
Call the filter_input_array() function, the parameters include the GET input variable and the array just set
Detect the "age" in the $result variable " and "email" variables have illegal input. (If there is an illegal input, the input variable is FALSE after using the filter_input_array() function.)
The second parameter of the filter_input_array() function can be an array or the ID of a single filter.
If this parameter is the ID of a single filter, then the specified filter will filter all values in the input array.
If the parameter is an array, then the array must follow the following rules:
Must be an associative array, and the input variable contained in it is the key of the array (such as the "age" input variable )
The value of this array must be the ID of the filter, or an array specifying filters, flags and options
9. Use Filter Callback
By using the FILTER_CALLBACK filter, you can call a custom function and use it as a filter. This way, we have full control over data filtering.
You can create your own custom function or use an existing PHP function.
Specify the function of the filter you are going to use according to the specified method of the specified option. In an associative array, with the name "options".
In the following example, we use a custom function to convert all "_" to spaces:
<?php function convertSpace($string) { return str_replace("_", ".", $string); } $string = "www_php_cn!"; echo filter_var($string, FILTER_CALLBACK, array("options"=>"convertSpace")); ?>
The output result is shown in the picture on the right
Example explanation
The above example converts all "_" to ".":
Create a function that replaces "_" with "."
Call the filter_var() function, its parameters are the FILTER_CALLBACK filter and the array containing our function