PHP Filter Implementation Code

PHP Filter Implementation Code _php tips

Last Update:2017-01-19 Source: Internet

Author: User

Tags php script

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

In the past, a user through the network is mainly to obtain information. And today's network just more focus on interaction with users, users are no longer just the site of the browser, but also the site content manufacturers. From the previous simple "read" to "write" and "Common creation" development, from the passive receiving information to the active branch of information development. The ensuing security issue has also become a problem that Web developers cannot ignore, and validating third-party sources of data is an essential feature of every Web application.

In the past, PHP needs to validate data, usually programmers themselves through regular expression implementation, and from PHP from 5.2 to the original Pcel filter function moved to the built-in library, and do a lot of hardening, you can use these functions to filter and verify the data.

Data source and authentication type
The data source in PHP contains two parts, one is external variables (such as post, get, cookie, and so on), and there is the data generated inside the page. PHP defines the ilter_input_** and filter_var_** series functions for each of these two data types. And according to the different verification methods can be divided into validating and sanitizing two kinds. Validating is used to validate data and returns a Boolean value. Sanitizing filters certain characters by rule and returns the processed string.

Simple usage
For example, to verify that a string is an integer, in the past we can implement it through regular expressions or is_numeric functions:

Copy Code code as follows:

$str = ' 51ab ';
Preg_match ('/^[0-9]*$/', $str);
Is_numeric ($STR);

New validation functions can be used in the following ways:

$str = ' 51ab ';
Echo Filter_var ($str, filter_validate_int)? ' is valid ': ' are not valid '; Filter_validate_int is a filter defined in PHP to verify that $str is an integer. In fact, this is a numeric constant, through the echo filter_validate_int; The discovery value is 257. So we can also use:

$str = ' 51ab ';
Echo Filter_var ($STR, 257)? ' is valid ': ' are not valid '; A number of commonly used filters are defined in PHP, and we can get all the supported filter names (represented by strings) by Filter_list () and then get their values using filter_id (String):

Print_r (Filter_list ()); All supported filter names.
Echo ' ========= ';
echo filter_id (' int '); ' int ' is a filter name returned by Filter_list. The above will enter something similar to the following:

Array (0=>int ',1=> ' boolean ',2=> ' float ',3=> ' validate_regexp ')
==========
257Sanitizing Filter
The above is to verify that the data format is correct, and sometimes to filter out irrelevant content is also very important. Sanitize filtering provides this functionality, such as filtering out extra characters in an email:

$email = ' <script>alert ("test"); </sript>xxx@caixw.com ';
Echo $email; Direct output, script scripts will be executed.
Echo Filter_var ($email, Filter_sanitize_email); Will filter out < and > output scriptalerttestscriptxxx@caixw.com options and logos
The Filter_var feature is more than that, and you can specify a third parameter with special options, such as an integer that specifies the maximum value:

Copy Code code as follows:

$options = Array (
' Options ' =>array (' Max_range ' =>50),
' Flags ' =>filter_flag_allow_octal,
);
$str = ' 51 ';
Echo Filter_var ($str, Filter_validate_int, $options)? ' is valid ': ' are not valid ';

The are not valid will be returned above. Because Max_range stipulates that its maximum value is only 50. Filter_flag_allow_octal, however, allows the validated data to be a octal, which is the beginning of the 0.

The $options parameter is an array containing two elements: options and flags. If only the flags element, it can also be passed directly without the array.

Validating external Data
In addition to the data generated by the PHP script itself, the data submitted by the user accounts for most of it. Of course we can also use Filter_var to filter directly:

Copy Code code as follows:

if (Isset ($_get[' age '))
{
echo Filter_var ($_get[' age '), Filter_validate_int)? ' is valid ': ' are not valid ';
}

However, PHP also provides several functions for validating data from external sources:

Copy Code code as follows:

if (Filter_has_var (Input_get, ' age '))
{
Echo filter_input (Input_get, ' age ', filter_validate_int)? ' is valid ': ' are not valid ';
}

A parameter (the first parameter) is used to specify the source of the data compared to the filter_var,filter_input. The Filter_has_var () is used to determine whether the specified data exists.

Filter multiple data at once
PHP also provides the Filter_var_array and Filter_input_array functions for one-time validation of multiple data.

This is an example from the php.net to illustrate how Filter_var_array () is used.

Copy Code code as follows:

$data = Array (
' product_id ' => ' libgd<script> ',
' Component ' => ' 10 ',
' Versions ' => ' 2.0.33 ',
' Testscalar ' => Array (' 2 ', ' 23 ', ' 10 ', ' 12 '),
' Testarray ' => ' 2 ',
);

$args = Array (
' product_id ' => filter_sanitize_encoded,
' Component ' => Array (' filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
' Options ' => array (' Min_range ' => 1, ' Max_range ' => 10)
),
' Versions ' => filter_sanitize_encoded,
' Doesnotexist ' => filter_validate_int,
' Testscalar ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => filter_require_scalar,
),
' Testarray ' => Array (
' Filter ' => filter_validate_int,
' Flags ' => Filter_force_array,
)
);
$myinputs = Filter_var_array ($data, $args);

Custom Filters
You can specify a custom filter by passing a special filter filter_callback, which converts the @ of all mailbox addresses to #.

Copy Code code as follows:

function Fun ($value)
{
Return Strtr ($value, ' @ ', ' # ');
}
$var = Filter_var (' abc@caixw.com ', Filter_callback, Array (' Options ' => ' fun '));
Echo $var;

Other

Id (filter constant)	Name (The name returned by the Filter_list () function)	Available Options	sign Bit	Description
Validating
Filter_validate_boolean	"Boolean"		Filter_null_on_failure	Returns True when the hard data is "1", "true", "on", "Yes", or false. When the FILTER_NULL_ON_FAILURE flag bit is set, only the value is "0", "false", "off", "No", and "" is returned false, and other non-true values return NULL.
Filter_validate_email	"Validate_email"			Verifying mailboxes
Filter_validate_float	"Float"	Decimal	Filter_flag_allow_thousand	Verifying floating point numbers
Filter_validate_int	"Int"	Min_range, Max_range	Filter_flag_allow_octal, Filter_flag_allow_hex	Validates an integer value within a specified range
Filter_validate_ip	"Validate_ip"		Filter_flag_ipv4, Filter_flag_ipv6, Filter_flag_no_priv_range, Filter_flag_no_res_range	Verifying IP addresses
Filter_validate_regexp	"Validate_regexp"	Regexp		Validating a regular expression
Filter_validate_url	"Validate_url"		Filter_flag_path_required, filter_flag_query_required	Verifying a URL
Sanitizing
Filter_sanitize_email	"Email"			Remove English characters, numbers, and!#$%& ' *+-/=?^_ ' {\|} ~@. [] a character other than.
filter_sanitize_encoded	"Encoded"		Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high	URL-coded string that removes or encodes the specified string.
Filter_sanitize_magic_quotes	"Magic_quotes"			Apply the Addslashes () function
Filter_sanitize_number_float	"Number_float"		Filter_flag_allow_fraction, Filter_flag_allow_thousand, filter_flag_allow_scientific	Remove characters except numbers, +-and., EE
Filter_sanitize_number_int	"Number_int"			Remove characters except numbers and +-
Filter_sanitize_special_chars	"Special_chars"		Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_high	HTML escape characters, ' &>< and ASCII values less than 32 characters. and other specified characters.
Filter_sanitize_string	"String"		Filter_flag_no_encode_quotes, Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, FILTER_FLAG_ Encode_high, Filter_flag_encode_amp	Removes the label, or removes or encodes the specified character.
filter_sanitize_stripped	"Stripped"			Alias ' string ' filter.
Filter_sanitize_url	"url"			Delete all characters except letters, numbers, and $-_.+!* ' (), {}\|\\^~[] ' <>#% ';/?:@&=
Filter_unsafe_raw	"Unsafe_raw"		Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp	Do not make any changes, or remove or encode the specified letters by sign bits.
Filter_callback	"Callback"		Filter_flag_strip_low, Filter_flag_strip_high, Filter_flag_encode_low, Filter_flag_encode_high, FILTER_FLAG_ENCODE _amp	Custom Filters

Sign bit

ID	Available Filters	Description
Filter_flag_strip_low	filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw	Remove characters that are less than 32 ASCII.
Filter_flag_strip_high	filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_unsafe_raw	Remove ASCII in 127 characters.
Filter_flag_allow_fraction	Filter_sanitize_number_float	Allow decimal separator (.)
Filter_flag_allow_thousand	Filter_sanitize_number_float, Filter_validate_float	Allow thousand separator (,)
Filter_flag_allow_scientific	Filter_sanitize_number_float	Allow scientific notation (e or E).
Filter_flag_no_encode_quotes	Filter_sanitize_string	Do not encode quotes (single and double quotes).
Filter_flag_encode_low	filter_sanitize_encoded, Filter_sanitize_string, Filter_sanitize_raw	A character encoding ASCII less than 32.
Filter_flag_encode_high	filter_sanitize_encoded, Filter_sanitize_special_chars, filter_sanitize_string, Filter_sanitize_raw	Encodes a letter with ASCII greater than 127.
Filter_flag_encode_amp	Filter_sanitize_string, Filter_sanitize_raw	Coding & Symbols.
Filter_null_on_failure	Filter_validate_boolean	Returns NULL when validating that the data is not the following string (Yes,no,1,0,true,false,on,off).
Filter_flag_allow_octal	Filter_validate_int	Allow octal value (beginning of 0).
Filter_flag_allow_hex	Filter_validate_int	Allow 16 binary values. (0X or 0x beginning).
Filter_flag_ipv4	Filter_validate_ip	IP4 format string.
Filter_flag_ipv6	Filter_validate_ip	IP6 format string.
Filter_flag_no_priv_range	Filter_validate_ip	The private domain IP specified by the RFC. IP4 the following range 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. Or a field that starts with the following IP6: FD or FC
Filter_flag_no_res_range	Filter_validate_ip	The requirement value is not in the reserved IP range. IPv4 RANGES:0.0.0.0/8, 169.254.0.0/16,192.0.2.0/24 and 224.0.0.0/4. cannot be applied to IP6.
Filter_flag_path_required	Filter_validate_url	Requires that the URL contain a path portion.
Filter_flag_query_required	Filter_validate_url	A URL query string is required.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More