Best Practices Series (4) -- PHP Security three-pronged: filtering, verification and escape verification & Laravel underlying field verification implementation

Source: Internet
Author: User
Tags valid email address
Best Practice series (4)-PHP Security three axes: filtering, verification and escape verification & Laravel underlying field verification implementation 2. verification data

PHP native implementation

Verification of input data is also important. Unlike filtering, verification does not delete information from the input data, but only confirms whether user input meets expectations. If you enter an email address, make sure that you enter an email address. if you need a phone number, make sure that you enter a phone number, this is what verification is to do.

The purpose of verification is to ensure that the correct data in the specified format is saved on the storage layer of the application. if invalid data is encountered, you must stop the data storage operation, an error message is displayed to remind the user to enter the correct data. Verification can also avoid potential database errors. for example, if MySQL expects to use a DATETIME value while providing a DATE string, MySQL reports an error or uses the default value, regardless of the processing method, the integrity of applications is damaged by invalid data.

To verify input data, we can pass a FILTER_VALIDATE _ * identifier to the filter_var function, PHP provides an identifier for verifying boolean values, email addresses, floating point numbers, integers, IP addresses, regular expressions, and URLs (see the for details ). The following example demonstrates how to verify the email address:


We need to pay special attention to the return value of filter_var. if the verification succeeds, the value to be verified is returned. if the verification fails, false is returned.

Using PHP components

Although the filter_var function provides a lot of identifiers for verification, it is a rare feature and cannot be eaten all over the day. we cannot rely on it to verify all data except the filter_var function, the following components help us complete more complex verification functions:

  • Aura/filter
  • Respect/validation
  • Symphony/validator

Note: the input data must be verified and filtered to ensure it conforms to expectations and is safe.

Data verification implementation in Laraval

Most scenarios of data verification are in form submission. Laravel also provides a wide range of methods for user data submission, which can meet almost any requirement, for details about Laravel data verification, see its official documentation: Here we will briefly discuss its underlying implementation logic. taking user registration as an example, a validator method is defined in AuthController:

This rule is used when registering new users. in Laravel, multiple verification rules are separated by |. for example, email, this rule indicates that the email field is required, must be an email address, the maximum length is 255, and is unique in the users table. Let's take a look at the implementation of the entire verification process. The validator method is called in RegistersUsers Trait (Illuminate \ Foundation \ Auth \ RegistersUsers:

This method first calls the validator method of AuthController to complete the initialization of Validator (Illuminate \ Validation \ Validator), and then calls the fails method on the validator instance to verify whether it fails, the failes method will call the passes method again:

The passes method will eventually traverse each rule (converted to an array during initialization) and call the validate method:

We can see that the verification method corresponding to each rule is finally assembled and called here. Taking email as an example, the final composition method is validateEmail, this verification method has been defined in Validator (in fact, each rule in the verification document can find the corresponding verification method here ):

The code shows that the filter_var provided by PHP is called and the FILTER_VALIDATE_EMAIL ID is passed in to verify whether the input field is a valid email address. If you are interested in the implementation of other verification rules, you can study the Validator class.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.