Best Practice Series (iv)--PHP security kick: Validation of filtering, validation, and escaping & laravel of the underlying field validation implementation

2. Verifying data

PHP Native Implementation

Validating input data is also important, unlike filtering, where validation does not remove information from the input data, but simply confirms that user input is meeting expectations. If you enter an e-mail address, make sure that the user enters an e-mail address, and if you need a phone number, make sure that the user enters the phone number, which is the verification thing.

Verification is to ensure that the application's storage layer holds the correct data in a specific format, if it encounters invalid data, to abort the data store operation, and display the appropriate error message to alert the user to enter the correct data. Validation also avoids potential errors in the database, for example, if MySQL expects to use a DATETIME-type value and provides a DATE string, then MySQL will error or use the default value, regardless of the processing method, the integrity of the application is corrupted by invalid data.

To implement input data validation, we can pass a filter_validate_* identity to the Filter_var function, which provides validation of Boolean values, e-mail addresses, floating-point numbers, integers, IPs, regular expressions, and URL identifiers (see Http://php.net /manual/en/filter.filters.validate.php). The following example shows how to verify an e-mail address:

     
We would like to pay particular attention to the return value of the Filter_var, if the validation succeeds, the value to be validated is returned, false if the validation fails.
    
with PHP components
    
Although the Filter_var function provides a lot of identification for authentication, but a move is fresh, can not eat all over the day, we can not rely on it to verify all the data, in addition to the Filter_var function, there are the following components can help us to complete the more complex validation function:
    
 
 

  
  
 
   
Aura/filter
 
   
Respect/validation
 
   
Symphony/validator
 
  
 
 
    
         
Note: The input data must be validated and filtered to ensure that it meets expectations and is safe.
    
    
implementation of data validation in Laraval
    
Most of the data validation scenarios are on the form submission, and the validation of user submitted data in Laravel provides a rich way to meet almost any requirement, and for data validation on Laravel please refer to its official documentation: http://laravelacademy.org/ Post/3279.html. Here we briefly discuss the underlying implementation logic, with user registration as an example, defines a validator method in Authcontroller:
    
  
    
This rule will be used when registering a new user, laravel through | To separate multiple validation rules, email as an example, this rule indicates that the email field is required, must be an e-mail address, a maximum length of 255, is unique in the users table. Let's take a look at the implementation of the entire validation process, the validator method is called in Registersusers Trait (illuminate\foundation\auth\registersusers):
    
  
    
The method first calls Authcontroller's validator method to complete the initialization of the validator (Illuminate\validation\validator), and then calls validator on the fails instance Method verifies whether the Failes method has failed, and then calls the passes method:
    
  
    
The passes method eventually iterates over each rule (which is converted to an array at initialization) and invokes the Validate method:
    
  
    
You can see that the final assembly of each rule corresponding to the validation method, and call, to email as an example, the final composition of the method is Validateemail, the verification method in Validator is already defined (in fact, Verify that each rule in the document can find a corresponding validation method here:
    
  
    
Through the code, we see that the PHP-provided Filter_var is called and passed in the Filter_validate_email identity to verify that the incoming field is a valid e-mail address. With regard to the implementation of other validation rules, interested students can take a good look at the Validator class.
