PHP filters are used to validate and filter data from non-secure sources, such as the user's input.
What is a PHP Filter?
PHP filters are used to validate and filter data from non-secure sources.
Testing, validation, and filtering on user input or custom data is an important part of any Web application.
PHP filter extension is designed to make data filtering easier and faster.
Why use a filter?
Almost all Web applications are dependent on external inputs. These data usually come from users or other applications (such as a web service). By using filters, you can ensure that applications get the correct input type.
You should always external data filtering!
Input filter is one of the most important application security issues.
What is external data?
Input data from the form
Cookies
Web services data
Server Variables
Database query results
And filter function
To filter variables, use one of the following filter functions:
filter_var () - to filter a single variable through a specified filter
filter_var_array () - to filter the plurality of variables by the same or different filters
filter_input - takes an input variable and filter it
filter_input_array - acquiring a plurality of input variables, and filters them through the same or different filters
In the following example, we use the filter_var () function validate an integer:
$int = 123;
if(!filter_var($int, FILTER_VALIDATE_INT))
{
echo ( "not a valid integer");
}
else
{
echo ( "a valid integer");
}
?>
The above code uses the "FILTER_VALIDATE_INT" variable filters to filter.
If we try to use a non-variable (such as "123abc") integer, the output will be: "Integer is not valid".
For a complete list of functions and filters, please visit our PHP Filter Reference Manual.
Validating 和 Sanitizing
There are two kinds of filters:
Validating filters:
It is used to validate user input
Strict format rules (such as URL or E-Mail verification)
If successful, the expected return type, if FALSE on failure
Sanitizing filters:
A character string for allowing or prohibiting the specified
No data format rules
Always return the string
Options and flags
Options and flags are used to add additional filtering options to the specified filters.
Different filters have different options and flags.
In the following example, we use filter_var () and "min_range" and "max_range" option to validate an integer:
$ Var = 300;
$int_options = array(
"options"=>array
(
"min_range"=>0,
"max_range"=>256
)
);
if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
{
echo ( "not a valid integer");
}
else
{
echo ( "a valid integer");
}
?>
Like the above code as a relevant option must be placed in an array called "options" in. If a flag is not required within the array.
Since the integer is "300", it is not within the specified range, the output of the code will be:
It is not a valid integer
For a complete list of functions and filters, please visit our PHP Filter Reference Manual. You can see each of the available options and flags filters.
Enter the verification
Let's try validating input from a form.
We need to do first thing is to confirm that the input data we are looking for.
We then use the filter_input () function to filter the data input.
In the example below, the input variable "email" is passed to the PHP page:
if(!filter_has_var(INPUT_GET, "email"))
{
echo ( "no email parameter");
}
else
{
if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
{
echo "is not a valid E-Mail";
}
else
{
echo "is a valid E-Mail";
}
}
?>
Examples explained
The example above has an input variable (email) "GET" transfer methods:
Detect the presence of "GET" type "email" input variable
If the input variable exists, it detects whether it is valid e-mail address
Purification input
Let's try to clean up coming from a form of URL.
First of all, we need to confirm that the input data we are looking for.
Then we sanitize the input data using filter_input () function.
In the example below, the input variable "url" is passed to the PHP page:
if(!filter_has_var(INPUT_GET, "url"))
{
echo ( "No url parameter");
}
else
{
$url = filter_input(INPUT_GET,
"url", FILTER_SANITIZE_URL);
echo $url;
}
?>
Examples explained
The example above has an input variable (url) "GET" transfer methods:
Detect the presence of "GET" type "url" input variables
If the input variable exists, its purification (removing illegal characters), and stores it in the $ url variable
If the input variable is a character string similar to this: "http: //www.ruåånoøøob.com/", the variable $ url purified as follows:
Filtering a plurality of input
Forms often consist of a plurality of input fields. To avoid filter_var or filter_input function called repeatedly, we can use filter_var_array or the filter_input_array function.
In this example, we use the filter_input_array () function to filter three GET variables. Received GET variables is a name, an age and an e-mail address:
$filters = array
(
"name" => array
(
"filter"=>FILTER_SANITIZE_STRING
),
"age" => array
(
"filter"=>FILTER_VALIDATE_INT,
"options"=>array
(
"min_range"=>1,
"max_range"=>120
)
),
"email"=> FILTER_VALIDATE_EMAIL
);
$result = filter_input_array(INPUT_GET, $filters);
if (!$result["age"])
{
echo ( "Age must be between 1 and 120.
");
}
elseif(!$result["email"])
{
echo ( "E-Mail illegal
");
}
else
{
echo ( "Enter the correct");
}
?>
Examples explained
The above example has three input variables (name, age, and email) transmitted by the "GET" method:
An array is provided, which comprises a filter and an input variable name specified input variables
() Function, GET parameters including input variables and just set array call filter_input_array
Detecting whether the $ result variable "age" and "email" input variable illegal. (If there is illegal input, the filter_input_array after use () function, the input variable is FALSE.)
the filter_input_array () function of the second parameter may be a single array or a filter's ID.
If the parameter is a single filter ID, then the specified filter will filter all the input values in the array.
If the parameter is an array, then the array must abide by the following rules:
It must be an associative array, wherein the input variable is a bond comprising the array (such as "age" input variable)
The value of this array must be a filter ID, or the provisions of the filter, an array of flags and options
Use Filter Callback
FILTER_CALLBACK by using a filter, can call a custom function, it is used as a filter. Thus, we have full control over data filtering.
You can create your own custom functions, you can use PHP function that already exists.
The function you are ready to use the filter performs predetermined prescribed method specified options. In an associative array with the name "options".
In the following example, we use a custom function of all "_" convert ".":
function convertSpace($string)
{
return str_replace("_", ".", $string);
}
$string = "www_codercto_com!";
echo filter_var($string, FILTER_CALLBACK,
array("options"=>"convertSpace"));
?>
Examples explained
The above examples all "_" into ".":
To create a "_" is replaced by "." Function
Call filter_var () function, which parameters are FILTER_CALLBACK filter and contain our function array (Editor: Leilin Peng Source: network intrusion deleted)