Learn about PHP filters (filter)

PHP filters are used to validate and filter data from non-secure sources, such as user input, and this article will learn more about filters.

What is a PHP filter?

PHP filters are used to validate and filter data from non-secure sources.

Validating and filtering user input or custom data is an important part of any WEB application.

PHP's filter extensions are designed to make data filtering easier and faster.

Why use filters?

Almost all Web applications rely on external input. This data usually comes from users or other applications (such as Web services). By using filters, you can ensure that the correct input type is available for the program.

You should always filter out external data!

Input filtering is one of the most important application security issues.

What is external data?

Input data from the form

Cookies

Server variables

Database Query Results

Functions and filters

To filter variables, use one of the following filter functions:

Filter_var ()-Filters a single variable with a specified filter

Filter_var_array ()-Filter multiple variables by the same or different filters

Filter_input-Gets an input variable and filters it

Filter_input_array-Get multiple input variables and filter them by the same or different filters

In the following example, we use the Filter_var () function to validate an integer:

<?php$int = 123;if (!filter_var ($int, Filter_validate_int)) {echo ("Integer is not valid");} else {echo ("Integer is valid");}? >

The above code uses the "Filter_validate_int" filter to filter the variables. Since this integer is legal, the output of the code is: "An integer is valid".

If we try to use a variable with a non-integer, the output is: "The integer is not valid".

For a complete list of functions and filters, please visit our PHP Filter reference manual.

Validating and sanitizing

There are two types of filters:

Validating Filter:

Used to validate user input

Strict formatting rules (e.g. URL or e-mail authentication)

Returns the expected type if successful, or FALSE if it fails

Sanitizing Filter:

Used to allow or disallow characters specified in a string

Unlimited data formatting rules

Always returns a string

Options and flags

Options and flags are used to add additional filtering options to the specified filter.

Different filters have different options and logos.

In the following example, we validate an integer with the Filter_var () and the "Min_range" and "Max_range" options:

<?php$var=300; $int _options = Array ("Options" =>array ("Min_range" =>0, "Max_range" =>256)); if (!filter_var ($var, Filter_validate_int, $int _options)) {Echo ("Integer is not valid");} else {echo ("Integer is valid");}? >

Just like the code above, the options must be placed in a related array called options. If you use flags, you do not need to be inside the array.

Since the integer is "300", it does not exist in the specified range, the output of the above code will be "Integer is not valid".

For a complete list of functions and filters, please visit the PHP Filter reference manual provided by W3school. You can see the options and flags available for each filter.

Validate input

Let's try to verify the input from the form.

The first thing we need to do is to confirm the existence of the input data we're looking for.

We then use the Filter_input () function to filter the input data.

In the following example, the input variable "email" is uploaded to the PHP page:

<?phpif (!filter_has_var (input_get, "email") {echo ("INPUT type does not exist");} else {if (!filter_input (input_get, "email", filter_validate_email))  {  echo "e-mail is not valid";  } else
  {  echo "e-mail is valid";  } }?>

Example Explanation:

The above example has an input variable (email) that is transmitted via the "GET" method:

Detects if there is a "GET" type of "email" input variable

If an input variable exists, detect if it is a valid e-mail address

Purifying input

Let's try to clean up the URLs that came from the form.

First, we want to make sure we have the input data we're looking for.

We then use the Filter_input () function to purify the input data.

In the following example, the input variable "url" is uploaded to the PHP page:

<?phpif (!filter_has_var (input_post, "url")) {echo ("INPUT type does not exist");} else {$url = Filter_input (input_post, "url", Filter_sanitize_url);}? >

Example Explanation:

The above example has an input variable (URL) that is transmitted via the "POST" method:

Detect if there is a "POST" type of "url" input variable

If this input variable exists, it is sanitized (removing illegal characters) and stored in the $url variable

If the input variable is similar to this: "Http://www.W3 non-O-ol.com.c character n/", then the purified $url variable should be this:

http://www.W3School.com.cn/

Filter multiple Inputs

A form is typically composed of multiple input fields. To avoid repeating calls to Filter_var or filter_input, we can use the Filter_var_array or the Filter_input_array function.

In this example, we use the Filter_input_array () function to filter three GET variables. The get variable received is a name, an age, and an e-mail address:

<?php$filters = Array ("name" = = Array  (  "filter" =>filter_sanitize_string  ), "age" = = array  ("  filter" =>filter_validate_int,  "Options" =>array   (   "Min_range" =>1,   "Max_ Range "=>120)"  , "email" = filter_validate_email,); $result = Filter_input_array (Input_get, $filters) if (! $result ["age"]) {echo ("must is a number between 1 and 120.<br/>");} ElseIf (! $result ["email"] {echo ("e-mail is not valid.<br/>");} else {echo ("User input is valid");}? >

Example Explanation:

The above example has three input variables (name, age, and email) passed through the "GET" method.

Sets an array that contains the name of the input variable and the filter for the specified input variable

Call the Filter_input_array function, which includes the GET input variable and the array you just set

Detects if the "age" and "email" variables in the $result variable have illegal input. (if there is an illegal input,)

The second parameter of the Filter_input_array () function can be an array or the ID of a single filter.

If the parameter is the ID of a single filter, the specified filter filters all values in the input array.

If the parameter is an array, then this array must follow the following rules:

Must be an associative array that contains input variables that are the keys of the array (e.g. "age" input variable)

The value of this array must be the ID of the filter, or an array that specifies the filters, flags, and options

Using the Filter Callback

By using the Filter_callback filter, you can invoke a custom function and use it as a filter. In this way, we have full control over the data filtering.

You can create your own custom functions, or you can use existing PHP functions.

The method that specifies that you want to use the filter function is the same as the method that specifies the option.

In the following example, we use a custom function to convert all "_" to a space:

<?phpfunction Convertspace ($string) {return Str_replace ("_", "", $string);} $string = "peter_is_a_great_guy!"; Echo Filter_var ($string, Filter_callback, Array ("Options" = "convertspace"));? >

The result of the above code is this:

Peter is a great guy!

Example Explanation:

The above example converts all "_" into spaces:

Create a function to replace "_" with a space

Call the Filter_var () function, whose arguments are the Filter_callback filter and the array that contains our functions.

This article on the filter has been explained, more learning materials to clear attention to the PHP Chinese network can be viewed.