In the past, a user through the network is mainly to obtain information. And today's network just more focus on interaction with users, users are no longer just the site of the browser, but also the site content manufacturers. From the previous simple "read" to "write" and "Common creation" development, from the passive receiving information to the active branch of information development. The ensuing security issue has also become a problem that Web developers cannot ignore, and validating third-party sources of data is an essential feature of every Web application.
In the past, PHP needs to validate data, usually programmers themselves through regular expression implementation, and from PHP from 5.2 to the original Pcel filter function moved to the built-in library, and do a lot of hardening, you can use these functions to filter and verify the data.
Data source and authentication type
The data source in PHP contains two parts, one is external variables (such as post, get, cookie, and so on), and there is the data generated inside the page. PHP defines the ilter_input_** and filter_var_** series functions for each of these two data types. And according to the different verification methods can be divided into validating and sanitizing two kinds. Validating is used to validate data and returns a Boolean value. Sanitizing filters certain characters by rule and returns the processed string.
Simple usage
For example, to verify that a string is an integer, in the past we can implement it through regular expressions or is_numeric functions:
Copy Code code as follows:
$str = ' 51ab ';
Preg_match ('/^[0-9]*$/', $str);
Is_numeric ($STR);
New validation functions can be used in the following ways:
$str = ' 51ab ';
Echo Filter_var ($str, filter_validate_int)? ' is valid ': ' are not valid '; Filter_validate_int is a filter defined in PHP to verify that $str is an integer. In fact, this is a numeric constant, through the echo filter_validate_int; The discovery value is 257. So we can also use:
$str = ' 51ab ';
Echo Filter_var ($STR, 257)? ' is valid ': ' are not valid '; A number of commonly used filters are defined in PHP, and we can get all the supported filter names (represented by strings) by Filter_list () and then get their values using filter_id (String):
Print_r (Filter_list ()); All supported filter names.
Echo ' ========= ';
echo filter_id (' int '); ' int ' is a filter name returned by Filter_list. The above will enter something similar to the following:
Array (0=>int ',1=> ' boolean ',2=> ' float ',3=> ' validate_regexp ')
==========
257Sanitizing Filter
The above is to verify that the data format is correct, and sometimes to filter out irrelevant content is also very important. Sanitize filtering provides this functionality, such as filtering out extra characters in an email:
$email = ' <script>alert ("test"); </sript>xxx@caixw.com ';
Echo $email; Direct output, script scripts will be executed.
Echo Filter_var ($email, Filter_sanitize_email); Will filter out < and > output scriptalerttestscriptxxx@caixw.com options and logos
The Filter_var feature is more than that, and you can specify a third parameter with special options, such as an integer that specifies the maximum value:
Copy Code code as follows:
$options = Array (
' Options ' =>array (' Max_range ' =>50),
' Flags ' =>filter_flag_allow_octal,
);
$str = ' 51 ';
Echo Filter_var ($str, Filter_validate_int, $options)? ' is valid ': ' are not valid ';
The are not valid will be returned above. Because Max_range stipulates that its maximum value is only 50. Filter_flag_allow_octal, however, allows the validated data to be a octal, which is the beginning of the 0.
The $options parameter is an array containing two elements: options and flags. If only the flags element, it can also be passed directly without the array.
Validating external Data
In addition to the data generated by the PHP script itself, the data submitted by the user accounts for most of it. Of course we can also use Filter_var to filter directly:
Copy Code code as follows:
if (Isset ($_get[' age '))
{
echo Filter_var ($_get[' age '), Filter_validate_int)? ' is valid ': ' are not valid ';
}
However, PHP also provides several functions for validating data from external sources:
Copy Code code as follows:
if (Filter_has_var (Input_get, ' age '))
{
Echo filter_input (Input_get, ' age ', filter_validate_int)? ' is valid ': ' are not valid ';
}
A parameter (the first parameter) is used to specify the source of the data compared to the filter_var,filter_input. The Filter_has_var () is used to determine whether the specified data exists.
Filter multiple data at once
PHP also provides the Filter_var_array and Filter_input_array functions for one-time validation of multiple data.
This is an example from the php.net to illustrate how Filter_var_array () is used.
Copy Code code as follows:
$data = Array (
' product_id ' => ' libgd<script> ',
' Component ' => ' 10 ',
' Versions ' => ' 2.0.33 ',
' Testscalar ' => Array (' 2 ', ' 23 ', ' 10 ', ' 12 '),
' Testarray ' => ' 2 ',
);
$args = Array (
' product_id ' => filter_sanitize_encoded,
' Component ' => Array (' filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
' Options ' => array (' Min_range ' => 1, ' Max_range ' => 10)
),
' Versions ' => filter_sanitize_encoded,
' Doesnotexist ' => filter_validate_int,
' Testscalar ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => filter_require_scalar,
),
' Testarray ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
)
);
$myinputs = Filter_var_array ($data, $args);
Custom Filters
You can specify a custom filter by passing a special filter filter_callback, which converts the @ of all mailbox addresses to #.
Copy Code code as follows:
function Fun ($value)
{
Return Strtr ($value, ' @ ', ' # ');
}
$var = Filter_var (' abc@caixw.com ', Filter_callback, Array (' Options ' => ' fun '));
Echo $var;
Other
Id (filter constant) |
Name (The name returned by the Filter_list () function) |
Available Options |
sign Bit |
Description |
Validating |
Filter_validate_boolean |
"Boolean" |
|
Filter_null_on_failure |
Returns True when the hard data is "1", "true", "on", "Yes", or false. When the FILTER_NULL_ON_FAILURE flag bit is set, only the value is "0", "false", "off", "No", and "" is returned false, and other non-true values return NULL. |
Filter_validate_email |
"Validate_email" |
|
|
Verifying mailboxes |
Filter_validate_float |
"Float" |
Decimal |
Filter_flag_allow_thousand |
Verifying floating point numbers |
Filter_validate_int |
"Int" |
Min_range, Max_range |
Filter_flag_allow_octal, Filter_flag_allow_hex |
Validates an integer value within a specified range |
Filter_validate_ip |
"Validate_ip" |
|
Filter_flag_ipv4, Filter_flag_ipv6, Filter_flag_no_priv_range, Filter_flag_no_res_range |
Verifying IP addresses |
Filter_validate_regexp |
"Validate_regexp" |
Regexp |
|
Validating a regular expression |
Filter_validate_url |
"Validate_url" |
|
Filter_flag_path_required, filter_flag_query_required |
Verifying a URL |
Sanitizing |
Filter_sanitize_email |
"Email" |
|
|
Remove English characters, numbers, and!#$%& ' *+-/=?^_ ' {|} ~@. [] a character other than. |
filter_sanitize_encoded |
"Encoded" |
|
Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high |
URL-coded string that removes or encodes the specified string. |
Filter_sanitize_magic_quotes |
"Magic_quotes" |
|
|
Apply the Addslashes () function |
Filter_sanitize_number_float |
"Number_float" |
|
Filter_flag_allow_fraction, Filter_flag_allow_thousand, filter_flag_allow_scientific |
Remove characters except numbers, +-and., EE |
Filter_sanitize_number_int |
"Number_int" |
|
|
Remove characters except numbers and +- |
Filter_sanitize_special_chars |
"Special_chars" |
|
Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_high |
HTML escape characters, ' &>< and ASCII values less than 32 characters. and other specified characters. |
Filter_sanitize_string |
"String" |
|
Filter_flag_no_encode_quotes, Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, FILTER_FLAG_ Encode_high, Filter_flag_encode_amp |
Removes the label, or removes or encodes the specified character. |
filter_sanitize_stripped |
"Stripped" |
|
|
Alias ' string ' filter. |
Filter_sanitize_url |
"url" |
|
|
Delete all characters except letters, numbers, and $-_.+!* ' (), {}|\\^~[] ' <>#% ';/?:@&= |
Filter_unsafe_raw |
"Unsafe_raw" |
|
Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp |
Do not make any changes, or remove or encode the specified letters by sign bits. |
Filter_callback |
"Callback" |
|
Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp |
Custom Filters |
Sign bit
ID |
Available Filters |
Description |
Filter_flag_strip_low |
filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw |
Remove characters that are less than 32 ASCII. |
Filter_flag_strip_high |
filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw |
Remove ASCII in 127 characters. |
Filter_flag_allow_fraction |
Filter_sanitize_number_float |
Allow decimal separator (.) |
Filter_flag_allow_thousand |
Filter_sanitize_number_float, Filter_validate_float |
Allow thousand separator (,) |
Filter_flag_allow_scientific |
Filter_sanitize_number_float |
Allow scientific notation (e or E). |
Filter_flag_no_encode_quotes |
Filter_sanitize_string |
Do not encode quotes (single and double quotes). |
Filter_flag_encode_low |
filter_sanitize_encoded, Filter_sanitize_string, Filter_sanitize_raw |
A character encoding ASCII less than 32. |
Filter_flag_encode_high |
filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_sanitize_raw |
Encodes a letter with ASCII greater than 127. |
Filter_flag_encode_amp |
Filter_sanitize_string, Filter_sanitize_raw |
Coding & Symbols. |
Filter_null_on_failure |
Filter_validate_boolean |
Returns NULL when validating that the data is not the following string (Yes,no,1,0,true,false,on,off). |
Filter_flag_allow_octal |
Filter_validate_int |
Allow octal value (beginning of 0). |
Filter_flag_allow_hex |
Filter_validate_int |
Allow 16 binary values. (0X or 0x beginning). |
Filter_flag_ipv4 |
Filter_validate_ip |
IP4 format string. |
Filter_flag_ipv6 |
Filter_validate_ip |
IP6 format string. |
Filter_flag_no_priv_range |
Filter_validate_ip |
The private domain IP specified by the RFC. IP4 the following range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Or a field that starts with the following IP6: FD or FC |
Filter_flag_no_res_range |
Filter_validate_ip |
The requirement value is not in the reserved IP range. IPv4 RANGES:0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24 and 224.0.0.0/4. cannot be applied to IP6. |
Filter_flag_path_required |
Filter_validate_url |
Requires that the URL contain a path portion. |
Filter_flag_query_required |
Filter_validate_url |
A URL query string is required. |