PHP filters are used to validate and filter data from non-secure sources, such as the user's input.
What is a PHP filter?
PHP filters are used to validate and filter data from non-secure sources.
Validating and filtering user input or custom data is an important part of any WEB application.
PHP's filter extensions are designed to make data filtering easier and faster.
Why use filters?
Almost all Web applications rely on external input. This data usually comes from users or other applications (such as Web services). By using filters, you can ensure that the correct input type is available for the program.
You should always filter out external data!
Input filtering is one of the most important application security issues.
What is external data?
• Input data from the form
Cookies
• Server Variables
• Database Query Results
Functions and filters
To filter variables, use one of the following filter functions:
Filter_var ()-Filters a single variable with a specified filter
Filter_var_array ()-Filter multiple variables by the same or different filters
filter_input-Gets an input variable and filters it
Filter_input_array-Get multiple input variables and filter them by the same or different filters
In the following example, we use the Filter_var () function to validate an integer:
The above code uses the "Filter_validate_int" filter to filter the variables. Since this integer is legal, the output of the code is: "An integer is valid".
If we try to use a variable with a non-integer, the output is: "The integer is not valid".
For a complete list of functions and filters, please visit our PHP Filter reference manual.
Validating and sanitizing
There are two types of filters:
Validating Filter:
• Used to validate user input
• Strict formatting rules (e.g. URL or e-mail authentication)
• Returns the expected type if successful, or FALSE if it fails
Sanitizing Filter:
• Used to allow or disallow characters specified in a string
• No data formatting rules
• Always return a string
Options and flags
Options and flags are used to add additional filtering options to the specified filter.
Different filters have different options and logos.
In the following example, we validate an integer with the Filter_var () and the "Min_range" and "Max_range" options:
Just like the code above, the options must be placed in a related array called options. If you use flags, you do not need to be inside the array.
Since the integer is "300", it does not exist in the specified range, the output of the above code will be "Integer is not valid".
For a complete list of functions and filters, please visit the PHP Filter reference manual provided by W3school. You can see the options and flags available for each filter.
Validate input
Let's try to verify the input from the form.
The first thing we need to do is to confirm the existence of the input data we're looking for.
We then use the Filter_input () function to filter the input data.
In the following example, the input variable "email" is uploaded to the PHP page:
<?phpif (!filter_has_var (input_get, "email") {echo ("INPUT type does not exist");} Else{if (!filter_input (input_get, "email", filter_validate_email)) {echo "e-mail is not valid";} Else{echo "e-mail is valid";}}? >
Example Explanation:
The above example has an input variable (email) that is transmitted via the "GET" method:
1. Detect if there is a "GET" type of "email" input variable
2. If an input variable exists, detect if it is a valid email address
Purifying input
Let's try to clean up the URLs that came from the form.
First, we want to make sure we have the input data we're looking for.
We then use the Filter_input () function to purify the input data.
In the following example, the input variable "url" is uploaded to the PHP page:
Example Explanation:
The above example has an input variable (URL) that is transmitted via the "POST" method:
1. Detect if there is a "POST" type of "url" input variable
2. If this input variable exists, purify it (remove illegal characters) and store it in the $url variable
If the input variable is similar to this: "Http://www.W3 non-O-ol.com.c character n/", then the purified $url variable should be this:
http://www.W3School.com.cn/
Filter multiple Inputs
A form is typically composed of multiple input fields. To avoid repeating calls to Filter_var or filter_input, we can use the Filter_var_array or the Filter_input_array function.
In this example, we use the Filter_input_array () function to filter three GET variables. The get variable received is a name, an age, and an e-mail address:
<?php$filters = Array ("name" = = Array ("filter" =>filter_sanitize_string), "age" = = Array ("Filter" = Filter_validate_int, "Options" =>array ("Min_range" =>1, "Max_range" =>120)), "email" and filter_validate_ EMAIL,); $result = Filter_input_array (Input_get, $filters);(Array (3) {["Name"]=> string (1) "1" ["Age"]=> bool ( FALSE) ["Email"]=> string (8) "1@qq.com"}) if (! $result ["age"]) {echo (' age must is a number between 1 and 120.
");} ElseIf (! $result ["email"]) {echo ("e-mail is not valid.
Example Explanation:
The above example has three input variables (name, age, and email) passed through the "GET" method.
1. Set an array that contains the name of the input variable and the filter for the specified input variable
2. Call the Filter_input_array function, which includes the GET input variable and the array you just set
3. Detect if the "age" and "email" variables in the $result variable have illegal input. (if there is an illegal input,)
The second parameter of the Filter_input_array () function can be an array or the ID of a single filter.
If the parameter is the ID of a single filter, the specified filter filters all values in the input array.
If the parameter is an array, then this array must follow the following rules:
• Must be an associative array that contains input variables that are the keys of the array (e.g. "age" input variable)
• The value of this array must be the ID of the filter, or an array that specifies the filter, flags, and options
Using the Filter Callback
By using the Filter_callback filter, you can invoke a custom function and use it as a filter. In this way, we have full control over the data filtering.
You can create your own custom functions, or you can use existing PHP functions.
The method that specifies that you want to use the filter function is the same as the method that specifies the option.
In the following example, we use a custom function to convert all "_" to a space:
The result of the above code is this:
Peter is a great guy!
Example Explanation:
The above example converts all "_" into spaces:
1. Create a function to replace "_" with a space
2. Call the Filter_var () function, whose arguments are the Filter_callback filter and the array containing our functions
The above is a small series to introduce you to the PHP filter comprehensive analysis, I hope to have some help, if you have any questions please give me a message, small series will promptly reply to everyone. Thank you very much for the support of the Scripting House website!