Input validation using the filter function in php

Input validation using the filter function in php

If (isset ($ _ GET ["value"]) { $ Value = $ _ GET ["value"]; } Else { $ Value = false; } If (is_numeric ($ value) & ($ value >=15 & $ value <= 20 )){ // Run my code } Else { // Handle the issue } This is a very basic example. we have already written more rows. what can I see ?? . First, because we are not sure about the set $ _ GET, the code will perform an appropriate check, so that the script will not be overturned. Second, the dollar value is now a "dirty" variable because it has been directly derived from the specified $ _ GET value. We need to take care that we break anything without using the dollar value elsewhere in the code. In addition, the 16.0 is_numeric () function is effective because of various language problems. Finally, we have to deal with Fact Issues. if the declaration is a single bit taking a bit, it is an additional logical bit passed when you are working through code tracking. Now compare the above example: $ Value = filter_input (INPUT_GET, "value", FILTER_VALIDATE_INT, Array ("options" => array ("min_range" => 15, "max_range" => 20 ))); If ($ value ){ // Run my code } Else { // Handle the issue } Will not make you feel warm and fuzzy? The $ _ GET value processed by filter_input () is not set, so you do not need to emphasize whether the script receives the correct information or does not. You also don't have to worry about the dollar value being dirty because it has been assigned before it is confirmed. Note that 16.0 is no longer valid. Finally, our logic is no longer complex. This is just a quick check for the truthy value (filter_input () if verification fails, false and null are returned if $ _ GET ["value" is not set "). Obviously, in a real world setting, you can extract the variables stored in the configuration file in an array to a certain place, so that you can get things without entering the business logic change. Gorgeous! Now, you may think that this may be a $ _ GET or $ _ POST variable that is useful for getting a couple of simple scripts, but internally used functions or class conventions? Fortunately, we have the filter_var (). The filter_var () function is introduced to do the same thing as filter_input. // This is an example function. if you do not use this email, // That would be stupid. Function emailUser ($ email ){ Mail ($ email, "Here is my email", "Some Content "); } The danger here is that there is no attempt to send an email, literally any value can be stored in the stop mail () function $ email. This may cause failure to send emails, or malicious features that are increasingly likely to be used in the worst case. What do I see ?? The mail () of the result check is very nice. if the function is successfully completed, but the damage is that the time value is returned. Something like this is more rational: // This is a sample function, do not use this to actually email, // That wocould be silly. Function emailUser ($ email ){ $ Email = filter_var ($ email, FILTER_VALIDATE_EMAIL ); If ($ email! = False ){ Mail ($ email, "Here is my email", "Some Content "); } Else { // Handle the issue invalid email address } } Many examples are used, including the above problems, which are basic. You may think that it cannot be used for any filter_var () or filter_input () other than basic checks (). And allows you to pass in a filter to these functions called FILTER_CALLBACK. FILTER_CALLBACK allows you to use the input function that will accept the filtered variables you create-where is it, you can start, because there is a lot of fun, you can apply your business logic to your filter. Some potential defects these features are very great, they let you do some really powerful filtering, we have discussed, can help improve the security and reliability of your code. But there are also some potential disadvantages. I will feel that I am dereliction of duty, if I do not point it out. The main drawback is that as long as your filter applies to its functionality. In the last example, use email verification-how to handle email address change between FILTER_VALIDATE_EMAIL 5.2.14 and 5.3.3, even if all applications running the same version of PHP have an email address, it is technically effective and you may not want it. Make sure that you know the filter you are using. The second trap is that people think that if they are in some filters, then put their code into safety. Filtered variables are helpful, but they do not protect your code 100% from abuse. I would like to talk about this, but it is beyond the scope of this article and my words are already quite high! Summary: I think you have only one function in your code to see what will happen when you pass in different data types and values. Then, I want you to apply for some filtering methods discussed here to see if there are any differences in how your code is executed. I 'd like to know how you commented.