PHP Filter Implementation Code _php tips

Source: Internet
Author: User
Tags php script
In the past, a user through the network is mainly to obtain information. And today's network just more focus on interaction with users, users are no longer just the site of the browser, but also the site content manufacturers. From the previous simple "read" to "write" and "Common creation" development, from the passive receiving information to the active branch of information development. The ensuing security issue has also become a problem that Web developers cannot ignore, and validating third-party sources of data is an essential feature of every Web application.

In the past, PHP needs to validate data, usually programmers themselves through regular expression implementation, and from PHP from 5.2 to the original Pcel filter function moved to the built-in library, and do a lot of hardening, you can use these functions to filter and verify the data.

Data source and authentication type
The data source in PHP contains two parts, one is external variables (such as post, get, cookie, and so on), and there is the data generated inside the page. PHP defines the ilter_input_** and filter_var_** series functions for each of these two data types. And according to the different verification methods can be divided into validating and sanitizing two kinds. Validating is used to validate data and returns a Boolean value. Sanitizing filters certain characters by rule and returns the processed string.

Simple usage
For example, to verify that a string is an integer, in the past we can implement it through regular expressions or is_numeric functions:

Copy Code code as follows:

$str = ' 51ab ';
Preg_match ('/^[0-9]*$/', $str);
Is_numeric ($STR);

New validation functions can be used in the following ways:

$str = ' 51ab ';
Echo Filter_var ($str, filter_validate_int)? ' is valid ': ' are not valid '; Filter_validate_int is a filter defined in PHP to verify that $str is an integer. In fact, this is a numeric constant, through the echo filter_validate_int; The discovery value is 257. So we can also use:

$str = ' 51ab ';
Echo Filter_var ($STR, 257)? ' is valid ': ' are not valid '; A number of commonly used filters are defined in PHP, and we can get all the supported filter names (represented by strings) by Filter_list () and then get their values using filter_id (String):

Print_r (Filter_list ()); All supported filter names.
Echo ' ========= ';
echo filter_id (' int '); ' int ' is a filter name returned by Filter_list. The above will enter something similar to the following:

Array (0=>int ',1=> ' boolean ',2=> ' float ',3=> ' validate_regexp ')
==========
257Sanitizing Filter
The above is to verify that the data format is correct, and sometimes to filter out irrelevant content is also very important. Sanitize filtering provides this functionality, such as filtering out extra characters in an email:

$email = ' <script>alert ("test"); </sript>xxx@caixw.com ';
Echo $email; Direct output, script scripts will be executed.
Echo Filter_var ($email, Filter_sanitize_email); Will filter out < and > output scriptalerttestscriptxxx@caixw.com options and logos
The Filter_var feature is more than that, and you can specify a third parameter with special options, such as an integer that specifies the maximum value:
Copy Code code as follows:

$options = Array (
' Options ' =>array (' Max_range ' =>50),
' Flags ' =>filter_flag_allow_octal,
);
$str = ' 51 ';
Echo Filter_var ($str, Filter_validate_int, $options)? ' is valid ': ' are not valid ';

The are not valid will be returned above. Because Max_range stipulates that its maximum value is only 50. Filter_flag_allow_octal, however, allows the validated data to be a octal, which is the beginning of the 0.

The $options parameter is an array containing two elements: options and flags. If only the flags element, it can also be passed directly without the array.

Validating external Data
In addition to the data generated by the PHP script itself, the data submitted by the user accounts for most of it. Of course we can also use Filter_var to filter directly:
Copy Code code as follows:

if (Isset ($_get[' age '))
{
echo Filter_var ($_get[' age '), Filter_validate_int)? ' is valid ': ' are not valid ';
}

However, PHP also provides several functions for validating data from external sources:
Copy Code code as follows:

if (Filter_has_var (Input_get, ' age '))
{
Echo filter_input (Input_get, ' age ', filter_validate_int)? ' is valid ': ' are not valid ';
}

A parameter (the first parameter) is used to specify the source of the data compared to the filter_var,filter_input. The Filter_has_var () is used to determine whether the specified data exists.

Filter multiple data at once
PHP also provides the Filter_var_array and Filter_input_array functions for one-time validation of multiple data.

This is an example from the php.net to illustrate how Filter_var_array () is used.
Copy Code code as follows:

$data = Array (
' product_id ' => ' libgd<script> ',
' Component ' => ' 10 ',
' Versions ' => ' 2.0.33 ',
' Testscalar ' => Array (' 2 ', ' 23 ', ' 10 ', ' 12 '),
' Testarray ' => ' 2 ',
);

$args = Array (
' product_id ' => filter_sanitize_encoded,
' Component ' => Array (' filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
' Options ' => array (' Min_range ' => 1, ' Max_range ' => 10)
),
' Versions ' => filter_sanitize_encoded,
' Doesnotexist ' => filter_validate_int,
' Testscalar ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => filter_require_scalar,
),
' Testarray ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
)
);
$myinputs = Filter_var_array ($data, $args);

Custom Filters
You can specify a custom filter by passing a special filter filter_callback, which converts the @ of all mailbox addresses to #.
Copy Code code as follows:

function Fun ($value)
{
Return Strtr ($value, ' @ ', ' # ');
}
$var = Filter_var (' abc@caixw.com ', Filter_callback, Array (' Options ' => ' fun '));
Echo $var;

Other

Id
(filter constant)
Name
(The name returned by the Filter_list () function)
Available Options sign Bit Description
Validating
Filter_validate_boolean "Boolean" Filter_null_on_failure Returns True when the hard data is "1", "true", "on", "Yes", or false. When the FILTER_NULL_ON_FAILURE flag bit is set, only the value is "0", "false", "off", "No", and "" is returned false, and other non-true values return NULL.
Filter_validate_email "Validate_email" Verifying mailboxes
Filter_validate_float "Float" Decimal Filter_flag_allow_thousand Verifying floating point numbers
Filter_validate_int "Int" Min_range, Max_range Filter_flag_allow_octal, Filter_flag_allow_hex Validates an integer value within a specified range
Filter_validate_ip "Validate_ip" Filter_flag_ipv4, Filter_flag_ipv6, Filter_flag_no_priv_range, Filter_flag_no_res_range Verifying IP addresses
Filter_validate_regexp "Validate_regexp" Regexp Validating a regular expression
Filter_validate_url "Validate_url" Filter_flag_path_required, filter_flag_query_required Verifying a URL
Sanitizing
Filter_sanitize_email "Email" Remove English characters, numbers, and!#$%& ' *+-/=?^_ ' {|} ~@. [] a character other than.
filter_sanitize_encoded "Encoded" Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high URL-coded string that removes or encodes the specified string.
Filter_sanitize_magic_quotes "Magic_quotes" Apply the Addslashes () function
Filter_sanitize_number_float "Number_float" Filter_flag_allow_fraction, Filter_flag_allow_thousand, filter_flag_allow_scientific Remove characters except numbers, +-and., EE
Filter_sanitize_number_int "Number_int" Remove characters except numbers and +-
Filter_sanitize_special_chars "Special_chars" Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_high HTML escape characters, ' &>< and ASCII values less than 32 characters. and other specified characters.
Filter_sanitize_string "String" Filter_flag_no_encode_quotes, Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, FILTER_FLAG_ Encode_high, Filter_flag_encode_amp Removes the label, or removes or encodes the specified character.
filter_sanitize_stripped "Stripped" Alias ' string ' filter.
Filter_sanitize_url "url" Delete all characters except letters, numbers, and $-_.+!* ' (), {}|\\^~[] ' <>#% ';/?:@&=
Filter_unsafe_raw "Unsafe_raw" Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp Do not make any changes, or remove or encode the specified letters by sign bits.
Filter_callback "Callback" Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp Custom Filters

Sign bit

ID Available Filters Description
Filter_flag_strip_low filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw Remove characters that are less than 32 ASCII.
Filter_flag_strip_high filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw Remove ASCII in 127 characters.
Filter_flag_allow_fraction Filter_sanitize_number_float Allow decimal separator (.)
Filter_flag_allow_thousand Filter_sanitize_number_float, Filter_validate_float Allow thousand separator (,)
Filter_flag_allow_scientific Filter_sanitize_number_float Allow scientific notation (e or E).
Filter_flag_no_encode_quotes Filter_sanitize_string Do not encode quotes (single and double quotes).
Filter_flag_encode_low filter_sanitize_encoded, Filter_sanitize_string, Filter_sanitize_raw A character encoding ASCII less than 32.
Filter_flag_encode_high filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_sanitize_raw Encodes a letter with ASCII greater than 127.
Filter_flag_encode_amp Filter_sanitize_string, Filter_sanitize_raw Coding & Symbols.
Filter_null_on_failure Filter_validate_boolean Returns NULL when validating that the data is not the following string (Yes,no,1,0,true,false,on,off).
Filter_flag_allow_octal Filter_validate_int Allow octal value (beginning of 0).
Filter_flag_allow_hex Filter_validate_int Allow 16 binary values. (0X or 0x beginning).
Filter_flag_ipv4 Filter_validate_ip IP4 format string.
Filter_flag_ipv6 Filter_validate_ip IP6 format string.
Filter_flag_no_priv_range Filter_validate_ip The private domain IP specified by the RFC. IP4 the following range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Or a field that starts with the following IP6: FD or FC
Filter_flag_no_res_range Filter_validate_ip The requirement value is not in the reserved IP range. IPv4 RANGES:0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24 and 224.0.0.0/4. cannot be applied to IP6.
Filter_flag_path_required Filter_validate_url Requires that the URL contain a path portion.
Filter_flag_query_required Filter_validate_url A URL query string is required.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.