Php filter implementation code

In the past, PHP had to verify the data, which was generally implemented by programmers themselves through regular expressions. from PHP 5.2, the filter function in the original PCEL was moved to the built-in library, we have made a lot of enhancements to use these functions to filter and verify data. In the past, a user obtained information through the network. Today's network is focusing more on interaction with users. users are no longer just Site viewers, but also content makers. It evolved from a simple "read" to "write" and "co-creation", and from a passive reception of information to an active branch. The security issues that follow have become a problem that web developers cannot ignore. verifying data from third-party sources has become an essential feature for every web program.

In the past, PHP had to verify the data, which was generally implemented by programmers themselves through regular expressions. from PHP 5.2, the filter function in the original PCEL was moved to the built-in library, we have made a lot of enhancements to use these functions to filter and verify data.

Data source and verification type
The data source in PHP contains two parts: external variables (such as POST, GET, and COOKIE), and data generated inside the page. PHP defines the ilter_input _ ** and filter_var _ ** series functions for these two data types. Different verification methods can be divided into Validating and Sanitizing. Validating is used to verify data and returns a boolean value. Sanitizing filters specific characters according to rules and returns the processed string.

Simple usage
For example, to verify whether a string is an integer, we can use a regular expression or the is_numeric function in the past:

The code is as follows:

$ Str = '51ab ';
Preg_match ('/^ [0-9] * $/', $ str );
Is_numeric ($ str );

The new verification function can be used in the following ways:

$ Str = '51ab ';
Echo filter_var ($ str, FILTER_VALIDATE_INT )? 'Is valid': 'is not valid'; FILTER_VALIDATE_INT is a filter defined by PHP to verify whether $ str is an integer. In fact, this is a numerical constant. it is found that the value is 257 through echo FILTER_VALIDATE_INT. So we can also use:

$ Str = '51ab ';
Echo filter_var ($ str, 257 )? 'Is valid': 'is not valid'; PHP defines a large number of commonly used filters. we can use filter_list () to obtain all supported filter names (represented by strings ), then use filter_id (string) to obtain its value:

Print_r (filter_list (); // all supported filter names.
Echo '= ';
Echo filter_id ('int'); // 'int' is a filter name returned by filter_list. The following content is input:

Array (0 => int ', 1 => 'boolean', 2 => 'float', 3 => 'validate _ regexp ')
============
257Sanitizing filter
The above is to verify whether the data format is correct, and sometimes it is important to filter out irrelevant content. SANITIZE filtering provides this function, such as filtering out unnecessary characters in an email:

$ Email = 'script alert ("test ");Xxx@caixw.com ';
Echo $ email; // output directly. the script is executed.
Echo filter_var ($ email, FILTER_SANITIZE_EMAIL); // filter out <和> Output scriptalerttestscriptxxx@caixw.com options and flags
Filter_var is more than just that. you can also specify the third parameter and add some special options, such as an integer that specifies the maximum value:

The code is as follows:

$ Options = array (
'Options' => array ('max _ range' => 50 ),
'Flags' => FILTER_FLAG_ALLOW_OCTAL,
);
$ Str = '51 ';
Echo filter_var ($ str, FILTER_VALIDATE_INT, $ options )? 'Is valid': 'is not valid ';

The above is not valid. Max_range specifies that the maximum value is 50. FILTER_FLAG_ALLOW_OCTAL indicates that the data that can be verified is Octal, that is, data starting with 0.

The $ options parameter is an array containing two elements: options and flags. If only the flags element exists, it can also be passed directly without an array.

Verify external data
In addition to the data generated by the PHP script, the data submitted by the user accounts for the majority. Of course, we can also directly use filter_var for filtering:

The code is as follows:

If (isset ($ _ GET ['age'])
{
Echo filter_var ($ _ GET ['age'], FILTER_VALIDATE_INT )? 'Is valid': 'is not valid ';
}

However, PHP also provides several functions to verify data from external sources:

The code is as follows:

If (filter_has_var (INPUT_GET, 'age '))
{
Echo filter_input (INPUT_GET, 'age', FILTER_VALIDATE_INT )? 'Is valid': 'is not valid ';
}

Compared with filter_var, filter_input has one more parameter (the first parameter) used to specify the data source. Filter_has_var () is used to determine whether specified data exists.

Filter multiple data at a time
PHP also provides the filter_var_array and filter_input_array functions to verify multiple data at a time.

This is an instance from php.net that describes how to use filter_var_array.

The code is as follows:

$ Data = array (
'Product _ id' => 'libgd script ',
'Component' => '10 ',
'Version' => '2. 0.33 ',
'Testscalar '=> array ('2', '23', '10', '12 '),
'Testarray' => '2 ',
);

$ Args = array (
'Product _ id' => FILTER_SANITIZE_ENCODED,
'Component' => array ('filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_FORCE_ARRAY,
'Options' => array ('min _ range' => 1, 'max _ range' => 10)
),
'Version' => FILTER_SANITIZE_ENCODED,
'Doesnotexist' => FILTER_VALIDATE_INT,
'Testscalar '=> array (
'Filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_REQUIRE_SCALAR,
),
'Testarray' => array (
'Filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_FORCE_ARRAY,
)
);
$ Myinputs = filter_var_array ($ data, $ args );

Custom filter
You can specify a custom filter by passing a special filter FILTER_CALLBACK. the following filter converts the @ of all email addresses #.

The code is as follows:

Function fun ($ value)
{
Return strtr ($ value ,'@','#');
}
$ Var = filter_var ('ABC @ caix?com ', FILTER_CALLBACK, array ('options' => 'fun '));
Echo $ var;

Others

ID (Filter constant)	Name (Name returned by the filter_list () function)	Available options	Flag space	Description
Validating
FILTER_VALIDATE_BOOLEAN	"Boolean"		FILTER_NULL_ON_FAILURE	True is returned when the hard data is "1", "true", "on", "yes". otherwise, false is returned. If the FILTER_NULL_ON_FAILURE flag is set, false is returned only when the values are "0", "false", "off", "no", and, other non-true values return null.
FILTER_VALIDATE_EMAIL	"Validate_email"			Verify email
FILTER_VALIDATE_FLOAT	"Float"	Decimal	FILTER_FLAG_ALLOW_THOUSAND	Verify floating point number
FILTER_VALIDATE_INT	"Int"	Min_range, max_range	FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX	Verifies an integer in a specified range.
FILTER_VALIDATE_IP	"Validate_ip"		FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE	Verify IP address
FILTER_VALIDATE_REGEXP	"Validate_regexp"	Regexp		Verify a regular expression
FILTER_VALIDATE_URL	"Validate_url"		FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED	Verify a URL
Sanitizing
FILTER_SANITIZE_EMAIL	"Email"			Remove letters, numbers, and! # $ % & '* +-/=? ^ _ '{| }~ Characters other.
FILTER_SANITIZE_ENCODED	"Encoded"		FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH	To remove or encode a specified string.
FILTER_SANITIZE_MAGIC_QUOTES	"Magic_quotes"			Apply the addslashes () function
FILTER_SANITIZE_NUMBER_FLOAT	"Number_float"		FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC	Remove characters except numbers, +-, and., eE
FILTER_SANITIZE_NUMBER_INT	"Number_int"			Remove characters except numbers and +-
FILTER_SANITIZE_SPECIAL_CHARS	"Special_chars"		FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH	HTML escape character, '"&> <以及 ascii 值小于 32 的字符。以及其它指定的字符。 < td>
FILTER_SANITIZE_STRING	"String"		FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP	Remove tags or encode specified characters.
FILTER_SANITIZE_STRIPPED	"Stripped"			Alias of "string" filter.
FILTER_SANITIZE_URL	"Url"			Delete all characters except letters, numbers, and $-_. +! * '(), {}|\\^ ~ [] '<> # % ";/? : @ & =
FILTER_UNSAFE_RAW	"Unsafe_raw"		FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP	Do not change, remove by flag or encode specified letters.
FILTER_CALLBACK	"Callback"		FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP	Custom filter

Flag space

ID	Available filters	Description
FILTER_FLAG_STRIP_LOW	FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW	Remove characters with ASCII less than 32.
FILTER_FLAG_STRIP_HIGH	FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW	Remove ASCII 127 characters.
FILTER_FLAG_ALLOW_FRACTION	FILTER_SANITIZE_NUMBER_FLOAT	Allowed decimal separator (.)
FILTER_FLAG_ALLOW_THOUSAND	FILTER_SANITIZE_NUMBER_FLOAT, FILTER_VALIDATE_FLOAT	Allows thousands of separators (,)
FILTER_FLAG_ALLOW_SCIENTIFIC	FILTER_SANITIZE_NUMBER_FLOAT	Scientific notation (e or E) is allowed ).
FILTER_FLAG_NO_ENCODE_QUOTES	FILTER_SANITIZE_STRING	Do not encode the quotation marks (single quotation marks and double quotation marks ).
FILTER_FLAG_ENCODE_LOW	FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW	Encode ASCII less than 32 characters.
FILTER_FLAG_ENCODE_HIGH	FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW	Encode ASCII letters greater than 127.
FILTER_FLAG_ENCODE_AMP	FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW	Encoding & symbol.
FILTER_NULL_ON_FAILURE	FILTER_VALIDATE_BOOLEAN	Returns null when the verification data is not the following string (yes, no, true, false, on, off ).
FILTER_FLAG_ALLOW_OCTAL	FILTER_VALIDATE_INT	The octal value (starting with 0) is allowed ).
FILTER_FLAG_ALLOW_HEX	FILTER_VALIDATE_INT	A hexadecimal value is allowed. (Starting with 0X or 0x ).
FILTER_FLAG_IPV4	FILTER_VALIDATE_IP	String in IP4 format.
FILTER_FLAG_IPV6	FILTER_VALIDATE_IP	String in IP6 format.
FILTER_FLAG_NO_PRIV_RANGE	FILTER_VALIDATE_IP	The private IP address specified by RFC. The following range of IP4 is 10.0.0.0/8, 172.16.0.0/24/24, 12,192.168 .0.0/16. Or a domain starting with IP6: FD or FC
FILTER_FLAG_NO_RES_RANGE	FILTER_VALIDATE_IP	The value is not within the reserved IP address range. IPv4 ranges: 0.0.0.0/8, 169.254.0.0/16,192.0 .2.0/24 and 224.0.0.0/4. It cannot be applied to ip6.
FILTER_FLAG_PATH_REQUIRED	FILTER_VALIDATE_URL	Required URLContains the path section.
FILTER_FLAG_QUERY_REQUIRED	FILTER_VALIDATE_URL	Required URLQuery string.