In the past, PHP had to verify the data, which was generally implemented by programmers themselves through regular expressions. from PHP 5.2, the filter function in the original PCEL was moved to the built-in library, we have made a lot of enhancements to use these functions to filter and verify data. In the past, a user obtained information through the network. Today's network is focusing more on interaction with users. users are no longer just Site viewers, but also content makers. It evolved from a simple "read" to "write" and "co-creation", and from a passive reception of information to an active branch. The security issues that follow have become a problem that web developers cannot ignore. verifying data from third-party sources has become an essential feature for every web program.
In the past, PHP had to verify the data, which was generally implemented by programmers themselves through regular expressions. from PHP 5.2, the filter function in the original PCEL was moved to the built-in library, we have made a lot of enhancements to use these functions to filter and verify data.
Data source and verification type
The data source in PHP contains two parts: external variables (such as POST, GET, and COOKIE), and data generated inside the page. PHP defines the ilter_input _ ** and filter_var _ ** series functions for these two data types. Different verification methods can be divided into Validating and Sanitizing. Validating is used to verify data and returns a boolean value. Sanitizing filters specific characters according to rules and returns the processed string.
Simple usage
For example, to verify whether a string is an integer, we can use a regular expression or the is_numeric function in the past:
The code is as follows:
$ Str = '51ab ';
Preg_match ('/^ [0-9] * $/', $ str );
Is_numeric ($ str );
The new verification function can be used in the following ways:
$ Str = '51ab ';
Echo filter_var ($ str, FILTER_VALIDATE_INT )? 'Is valid': 'is not valid'; FILTER_VALIDATE_INT is a filter defined by PHP to verify whether $ str is an integer. In fact, this is a numerical constant. it is found that the value is 257 through echo FILTER_VALIDATE_INT. So we can also use:
$ Str = '51ab ';
Echo filter_var ($ str, 257 )? 'Is valid': 'is not valid'; PHP defines a large number of commonly used filters. we can use filter_list () to obtain all supported filter names (represented by strings ), then use filter_id (string) to obtain its value:
Print_r (filter_list (); // all supported filter names.
Echo '= ';
Echo filter_id ('int'); // 'int' is a filter name returned by filter_list. The following content is input:
Array (0 => int ', 1 => 'boolean', 2 => 'float', 3 => 'validate _ regexp ')
============
257Sanitizing filter
The above is to verify whether the data format is correct, and sometimes it is important to filter out irrelevant content. SANITIZE filtering provides this function, such as filtering out unnecessary characters in an email:
$ Email = 'script alert ("test ");Xxx@caixw.com ';
Echo $ email; // output directly. the script is executed.
Echo filter_var ($ email, FILTER_SANITIZE_EMAIL); // filter out <和> Output scriptalerttestscriptxxx@caixw.com options and flags
Filter_var is more than just that. you can also specify the third parameter and add some special options, such as an integer that specifies the maximum value:
The code is as follows:
$ Options = array (
'Options' => array ('max _ range' => 50 ),
'Flags' => FILTER_FLAG_ALLOW_OCTAL,
);
$ Str = '51 ';
Echo filter_var ($ str, FILTER_VALIDATE_INT, $ options )? 'Is valid': 'is not valid ';
The above is not valid. Max_range specifies that the maximum value is 50. FILTER_FLAG_ALLOW_OCTAL indicates that the data that can be verified is Octal, that is, data starting with 0.
The $ options parameter is an array containing two elements: options and flags. If only the flags element exists, it can also be passed directly without an array.
Verify external data
In addition to the data generated by the PHP script, the data submitted by the user accounts for the majority. Of course, we can also directly use filter_var for filtering:
The code is as follows:
If (isset ($ _ GET ['age'])
{
Echo filter_var ($ _ GET ['age'], FILTER_VALIDATE_INT )? 'Is valid': 'is not valid ';
}
However, PHP also provides several functions to verify data from external sources:
The code is as follows:
If (filter_has_var (INPUT_GET, 'age '))
{
Echo filter_input (INPUT_GET, 'age', FILTER_VALIDATE_INT )? 'Is valid': 'is not valid ';
}
Compared with filter_var, filter_input has one more parameter (the first parameter) used to specify the data source. Filter_has_var () is used to determine whether specified data exists.
Filter multiple data at a time
PHP also provides the filter_var_array and filter_input_array functions to verify multiple data at a time.
This is an instance from php.net that describes how to use filter_var_array.
The code is as follows:
$ Data = array (
'Product _ id' => 'libgd script ',
'Component' => '10 ',
'Version' => '2. 0.33 ',
'Testscalar '=> array ('2', '23', '10', '12 '),
'Testarray' => '2 ',
);
$ Args = array (
'Product _ id' => FILTER_SANITIZE_ENCODED,
'Component' => array ('filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_FORCE_ARRAY,
'Options' => array ('min _ range' => 1, 'max _ range' => 10)
),
'Version' => FILTER_SANITIZE_ENCODED,
'Doesnotexist' => FILTER_VALIDATE_INT,
'Testscalar '=> array (
'Filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_REQUIRE_SCALAR,
),
'Testarray' => array (
'Filter' => FILTER_VALIDATE_INT,
'Flags' => FILTER_FORCE_ARRAY,
)
);
$ Myinputs = filter_var_array ($ data, $ args );
Custom filter
You can specify a custom filter by passing a special filter FILTER_CALLBACK. the following filter converts the @ of all email addresses #.
The code is as follows:
Function fun ($ value)
{
Return strtr ($ value ,'@','#');
}
$ Var = filter_var ('ABC @ caix?com ', FILTER_CALLBACK, array ('options' => 'fun '));
Echo $ var;
Others
ID (Filter constant) |
Name (Name returned by the filter_list () function) |
Available options |
Flag space |
Description |
Validating |
FILTER_VALIDATE_BOOLEAN |
"Boolean" |
|
FILTER_NULL_ON_FAILURE |
True is returned when the hard data is "1", "true", "on", "yes". otherwise, false is returned. If the FILTER_NULL_ON_FAILURE flag is set, false is returned only when the values are "0", "false", "off", "no", and, other non-true values return null. |
FILTER_VALIDATE_EMAIL |
"Validate_email" |
|
|
Verify email |
FILTER_VALIDATE_FLOAT |
"Float" |
Decimal |
FILTER_FLAG_ALLOW_THOUSAND |
Verify floating point number |
FILTER_VALIDATE_INT |
"Int" |
Min_range, max_range |
FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX |
Verifies an integer in a specified range. |
FILTER_VALIDATE_IP |
"Validate_ip" |
|
FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE |
Verify IP address |
FILTER_VALIDATE_REGEXP |
"Validate_regexp" |
Regexp |
|
Verify a regular expression |
FILTER_VALIDATE_URL |
"Validate_url" |
|
FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED |
Verify a URL |
Sanitizing |
FILTER_SANITIZE_EMAIL |
"Email" |
|
|
Remove letters, numbers, and! # $ % & '* +-/=? ^ _ '{| }~ Characters other. |
FILTER_SANITIZE_ENCODED |
"Encoded" |
|
FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH |
To remove or encode a specified string. |
FILTER_SANITIZE_MAGIC_QUOTES |
"Magic_quotes" |
|
|
Apply the addslashes () function |
FILTER_SANITIZE_NUMBER_FLOAT |
"Number_float" |
|
FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC |
Remove characters except numbers, +-, and., eE |
FILTER_SANITIZE_NUMBER_INT |
"Number_int" |
|
|
Remove characters except numbers and +- |
FILTER_SANITIZE_SPECIAL_CHARS |
"Special_chars" |
|
FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH |
HTML escape character, '"&> <以及 ascii 值小于 32 的字符。以及其它指定的字符。 < td> |
FILTER_SANITIZE_STRING |
"String" |
|
FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP |
Remove tags or encode specified characters. |
FILTER_SANITIZE_STRIPPED |
"Stripped" |
|
|
Alias of "string" filter. |
FILTER_SANITIZE_URL |
"Url" |
|
|
Delete all characters except letters, numbers, and $-_. +! * '(), {}|\\^ ~ [] '<> # % ";/? : @ & = |
FILTER_UNSAFE_RAW |
"Unsafe_raw" |
|
FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP |
Do not change, remove by flag or encode specified letters. |
FILTER_CALLBACK |
"Callback" |
|
FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP |
Custom filter |
Flag space
ID |
Available filters |
Description |
FILTER_FLAG_STRIP_LOW |
FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW |
Remove characters with ASCII less than 32. |
FILTER_FLAG_STRIP_HIGH |
FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW |
Remove ASCII 127 characters. |
FILTER_FLAG_ALLOW_FRACTION |
FILTER_SANITIZE_NUMBER_FLOAT |
Allowed decimal separator (.) |
FILTER_FLAG_ALLOW_THOUSAND |
FILTER_SANITIZE_NUMBER_FLOAT, FILTER_VALIDATE_FLOAT |
Allows thousands of separators (,) |
FILTER_FLAG_ALLOW_SCIENTIFIC |
FILTER_SANITIZE_NUMBER_FLOAT |
Scientific notation (e or E) is allowed ). |
FILTER_FLAG_NO_ENCODE_QUOTES |
FILTER_SANITIZE_STRING |
Do not encode the quotation marks (single quotation marks and double quotation marks ). |
FILTER_FLAG_ENCODE_LOW |
FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW |
Encode ASCII less than 32 characters. |
FILTER_FLAG_ENCODE_HIGH |
FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW |
Encode ASCII letters greater than 127. |
FILTER_FLAG_ENCODE_AMP |
FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW |
Encoding & symbol. |
FILTER_NULL_ON_FAILURE |
FILTER_VALIDATE_BOOLEAN |
Returns null when the verification data is not the following string (yes, no, true, false, on, off ). |
FILTER_FLAG_ALLOW_OCTAL |
FILTER_VALIDATE_INT |
The octal value (starting with 0) is allowed ). |
FILTER_FLAG_ALLOW_HEX |
FILTER_VALIDATE_INT |
A hexadecimal value is allowed. (Starting with 0X or 0x ). |
FILTER_FLAG_IPV4 |
FILTER_VALIDATE_IP |
String in IP4 format. |
FILTER_FLAG_IPV6 |
FILTER_VALIDATE_IP |
String in IP6 format. |
FILTER_FLAG_NO_PRIV_RANGE |
FILTER_VALIDATE_IP |
The private IP address specified by RFC. The following range of IP4 is 10.0.0.0/8, 172.16.0.0/24/24, 12,192.168 .0.0/16. Or a domain starting with IP6: FD or FC |
FILTER_FLAG_NO_RES_RANGE |
FILTER_VALIDATE_IP |
The value is not within the reserved IP address range. IPv4 ranges: 0.0.0.0/8, 169.254.0.0/16,192.0 .2.0/24 and 224.0.0.0/4. It cannot be applied to ip6. |
FILTER_FLAG_PATH_REQUIRED |
FILTER_VALIDATE_URL |
Required URLContains the path section. |
FILTER_FLAG_QUERY_REQUIRED |
FILTER_VALIDATE_URL |
Required URLQuery string. |