Home  >  Article  >  php教程  >  PHP filter (Filter)

PHP filter (Filter)

WBOY
WBOYOriginal
2016-08-10 08:49:331043browse

PHP filters are used to validate and filter data from non-secure sources, such as user input.

What are PHP filters?

PHP filters are used to validate and filter data from non-secure sources.

Validating and filtering user input or custom data is an important part of any web application.

Filter extensions for PHP are designed to make data filtering easier and faster.

Why use filters?

Almost all web applications rely on external input. This data usually comes from users or other applications (such as web services). By using filters, you can ensure that your application gets the correct input type.

You should always filter external data!

Input filtering is one of the most important application security topics.

What is external data?

  • Input data from form
  • Cookies
  • Server variables
  • Database query results

Functions and Filters

To filter variables, use one of the filter functions below:

  • filter_var() - Filter a single variable by a specified filter
  • filter_var_array() - Filter multiple variables by the same or different filters
  • filter_input - Get an input variable and filter it
  • filter_input_array - take multiple input variables and filter them through the same or different filters

In the example below, we validate an integer using the filter_var() function:

<?php
$int = 123;

if(!<code>filter_var($int, FILTER_VALIDATE_INT)</code>)
 {
 echo("Integer is not valid");
 }
else
 {
 echo("Integer is valid");
 }
?>

The above code uses the "FILTER_VALIDATE_INT" filter to filter variables. Since this integer is legal, the output of the code is: "Integer is valid".

If we try to use a non-integer variable, the output is: "Integer is not valid".

For a complete list of functions and filters, visit our PHP Filter Reference Manual.

Validating and Sanitizing

There are two types of filters:

Validating filter:

  • Used to validate user input
  • Strict formatting rules (such as URL or Email validation)
  • Returns the expected type if successful, or FALSE if failed

Sanitizing filter:

  • Used to allow or prohibit specified characters in a string
  • No data format rules
  • Always returns a string

Options and Flags

Options and flags are used to add additional filtering options to the specified filter.

Different filters have different options and flags.

In the example below, we validate an integer using filter_var() with the "min_range" and "max_range" options:

<?php
$var=300;
<span class="marked">
$int_options = array(
"options"=>array
 (
 "min_range"=>0,
 "max_range"=>256
 )
);

if(!<code>filter_var($var, FILTER_VALIDATE_INT, $int_options)</code>)
 {
 echo("Integer is not valid");
 }
else
 {
 echo("Integer is valid");
 }
?>

Just like the code above, the options must be put into a related array called "options". If using flags, they don't need to be in an array.

Since the integer is "300", which is not within the specified range, the output of the above code will be "Integer is not valid".

For a complete list of functions and filters, please visit the PHP Filter Reference Manual provided by W3School. You can see the available options and flags for each filter.

Validate input

Let's try to validate the input from the form.

The first thing we need to do is confirm that the input data we are looking for exists.

Then we use the filter_input() function to filter the input data.

In the example below, the input variable "email" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_GET, "email"))
 {
 echo("Input type does not exist");
 }
else
 {
 if (!<code>filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL)</code>)
  {
  echo "E-Mail is not valid";
  }
 else
  {
  echo "E-Mail is valid";
  }
 }
?>

Example explanation:

The example above has an input variable (email) passed via the "GET" method:

  1. Detect whether there is an "email" input variable of type "GET"
  2. If input variable exists, check if it is a valid email address

Purify input

Let’s try to clean up the URL passed from the form.

First, we want to confirm that the input data we are looking for exists.

Then, we use the filter_input() function to purify the input data.

In the example below, the input variable "url" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_POST, "url"))
 {
 echo("Input type does not exist");
 }
else
 {
 $url = <code>filter_input(INPUT_POST, "url", FILTER_SANITIZE_URL)</code>;
 }
?>

Example explanation:

The example above has an input variable (url) passed via the "POST" method:

  1. Detect whether there is a "url" input variable of type "POST"
  2. If this input variable exists, sanitize it (remove illegal characters) and store it in the $url variable

If the input variable is similar to this: "http://www.W3 illegal ol.com.c character n/", then the purified $url variable should be like this:

http://www.W3School.com.cn/

过滤多个输入

表单通常由多个输入字段组成。为了避免对 filter_var 或 filter_input 重复调用,我们可以使用 filter_var_array 或 the filter_input_array 函数。

在本例中,我们使用 filter_input_array() 函数来过滤三个 GET 变量。接收到的 GET 变量是一个名字、一个年龄以及一个邮件地址:

<?php
<span class="marked">$filters = array
 (
 "name" => array
  (
  "filter"=>FILTER_SANITIZE_STRING
  ),
 "age" => array
  (
  "filter"=>FILTER_VALIDATE_INT,
  "options"=>array
   (
   "min_range"=>1,
   "max_range"=>120
   )
  ),
 "email"=> FILTER_VALIDATE_EMAIL,
 );

$result = <code>filter_input_array(INPUT_GET, $filters)</code>;(array(3) { ["name"]=> string(1) "1" ["age"]=> bool(false) ["email"]=> string(8) "1@qq.com" })

if (!$result["age"])
 {
 echo("Age must be a number between 1 and 120.<br />");
 }
elseif(!$result["email"])
 {
 echo("E-Mail is not valid.<br />");
 }
else
 {
 echo("User input is valid");
 }
?>

例子解释:

上面的例子有三个通过 "GET" 方法传送的输入变量 (name, age and email)

  1. 设置一个数组,其中包含了输入变量的名称,以及用于指定的输入变量的过滤器
  2. 调用 filter_input_array 函数,参数包括 GET 输入变量及刚才设置的数组
  3. 检测 $result 变量中的 "age" 和 "email" 变量是否有非法的输入。(如果存在非法输入,)

filter_input_array() 函数的第二个参数可以是数组或单一过滤器的 ID。

如果该参数是单一过滤器的 ID,那么这个指定的过滤器会过滤输入数组中所有的值。

如果该参数是一个数组,那么此数组必须遵循下面的规则:

  • 必须是一个关联数组,其中包含的输入变量是数组的键(比如 "age" 输入变量)
  • 此数组的值必须是过滤器的 ID ,或者是规定了过滤器、标志以及选项的数组

使用 Filter Callback

通过使用 FILTER_CALLBACK 过滤器,可以调用自定义的函数,把它作为一个过滤器来使用。这样,我们就拥有了数据过滤的完全控制权。

您可以创建自己的自定义函数,也可以使用已有的 PHP 函数。

规定您准备用到过滤器函数的方法,与规定选项的方法相同。

在下面的例子中,我们使用了一个自定义的函数把所有 "_" 转换为空格:

<?php
<span class="marked">function convertSpace($string)
{
return str_replace("_", " ", $string);
}

$string = "Peter_is_a_great_guy!";

echo <code>filter_var($string, FILTER_CALLBACK, array("options"=>"convertSpace"));
?>

以上代码的结果是这样的:

Peter is a great guy!

例子解释:

上面的例子把所有 "_" 转换成空格:

  1. 创建一个把 "_" 替换为空格的函数
  2. 调用 filter_var() 函数,它的参数是 FILTER_CALLBACK 过滤器以及包含我们的函数的数组
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn