📄 php_filter.asp
字号:
<h2>What is a PHP Filter? </h2>
<p>A PHP filter is used to validate and filter data coming from insecure sources.</p>
<p>To test, validate and filter user input or custom data is an important part
of any web application.</p>
<p>The PHP filter extension is designed to make data
filtering easier and quicker.</p>
<hr />
<h2>Why use a Filter?</h2>
<p>Almost all web applications depend on external input. Usually this comes from
a user or another application (like a web service). By using filters you can be
sure your application gets the correct input type.</p>
<p><b>You should always filter all external data!</b></p>
<p>Input filtering is one of the most important application security issues.</p>
<p>What is external data?</p>
<ul>
<li>Input data from a form</li>
<li>Cookies</li>
<li>Web services data</li>
<li>Server variables</li>
<li>Database query results</li>
</ul>
<hr />
<h2>Functions and Filters</h2>
<p>To filter a variable, use one of the following filter functions:</p>
<ul>
<li>filter_var() - Filters a single variable with a specified filter</li>
<li>filter_var_array() - Filter several variables with the same or different
filters</li>
<li>filter_input - Get one input variable and filter it</li>
<li>filter_input_array - Get several input variables and filter them with
the same or different filters</li>
</ul>
<p>In the example below, we validate an integer using the filter_var() function:</p>
<table width="100%" border="1" class="ex" cellspacing="0" id="table13"><tr><td>
<pre><?php
$int = 123;</pre>
<pre>if(!filter_var($int, FILTER_VALIDATE_INT))
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?></pre>
</td></tr></table>
<p>The code above uses the "FILTER_VALIDATE_INT" filter to filter the
variable. Since the integer is valid, the output of the code above will be:
"Integer is valid".</p>
<p>If we try with a variable that is not an integer (like "123abc"), the output
will be: "Integer is not valid".</p>
<p>For a complete list of functions and filters, visit our
<a href="php_ref_filter.asp">PHP Filter Reference.</a><br />
</p>
<hr />
<h2>Validating and Sanitizing</h2>
<p>There are two kinds of filters:</p>
<p>Validating filters:</p>
<ul>
<li>Are used to validate user input</li>
<li>Strict format rules (like URL or E-Mail validating)</li>
<li>Returns the expected type on success or FALSE on failure</li>
</ul>
<p>Sanitizing filters:</p>
<ul>
<li>Are used to allow or disallow specified characters in a string</li>
<li>No data format rules</li>
<li>Always return the string</li>
</ul>
<hr />
<h2>Options and Flags</h2>
<p>Options and flags are used to add additional filtering options to the
specified filters.</p>
<p>Different filters have different options and flags. </p>
<p>In the example below, we validate an integer using the filter_var() and the "min_range"
and "max_range" options:</p>
<table width="100%" border="1" class="ex" cellspacing="0" id="table14"><tr><td>
<pre><?php
$var=300;</pre>
<pre>$int_options = array(
"options"=>array
(
"min_range"=>0,
"max_range"=>256
)
);</pre>
<pre>if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?></pre>
</td></tr></table>
<p>Like the code above, options must be put in an associative array with the
name "options". If a flag is used it does not need to be in an array.</p>
<p>Since the integer is "300" it is not in the specified range, and the output of the code above will be:
"Integer is not valid".</p>
<p>For a complete list of functions and filters, visit our
<a href="php_ref_filter.asp">PHP Filter Reference.</a> Check each filter to see
what options and flags are available.</p>
<hr />
<h2>Validate Input</h2>
<p>Let's try validating input from a form.</p>
<p>The first thing we need to do is to confirm that the input data we are
looking for exists.</p>
<p>Then we filter the input data using the filter_input() function.</p>
<p>In the example below, the input variable "email" is sent to the PHP page:</p>
<table width="100%" border="1" class="ex" cellspacing="0" id="table3"><tr><td>
<pre><?php
if(!filter_has_var(INPUT_GET, "email"))
{
echo("Input type does not exist");
}
else
{
if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
{
echo "E-Mail is not valid";
}
else
{
echo "E-Mail is valid";
}
}
?></pre>
</td></tr></table>
<h2>Example Explained</h2>
<p>The example above has an input (email) sent to it using the "GET" method:</p>
<ol>
<li>Check if an "email" input variable of the "GET" type exist</li>
<li>If the input variable exists, check if it is a valid e-mail address</li>
</ol>
<hr />
<h2>Sanitize Input</h2>
<p>Let's try cleaning up an URL sent from a form.</p>
<p>First we confirm that the input data we are
looking for exists.</p>
<p>Then we sanitize the input data using the filter_input() function.</p>
<p>In the example below, the input variable "url" is sent to the PHP page:</p>
<table width="100%" border="1" class="ex" cellspacing="0" id="table5"><tr><td>
<pre><?php
if(!filter_has_var(INPUT_POST, "url"))
{
echo("Input type does not exist");
}
else
{
$url = filter_input(INPUT_POST,
"url", FILTER_SANITIZE_URL);
}
?></pre>
</td></tr></table>
<h2>Example Explained</h2>
<p>The example above has an input (url) sent to it using the "POST" method:</p>
<ol>
<li>Check if the "url" input of the "POST" type exists</li>
<li>If the input variable exists, sanitize (take away invalid characters)
and store it in the $url variable</li>
</ol>
<p>If the input variable is a string like this
"http://www.W3邋Sch⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -