The PHP filter is used to verify and filter data from non-secure sources, such as user input.
What is a PHP filter?
PHP filters are used to verify and filter data from unsafe sources.
Verifying and filtering user input or custom data is any web applicationProgramIs an important part.
The PHP Filter Extension is designed to make data filtering easier and faster.
Why filter?
Almost all web applications depend on external input. This data usually comes from users or other applications (such as Web Services ). By using a filter, you can ensure that the program obtains the correct input type.
You should always filter external data!
Input filtering is one of the most important application security issues.
What is external data?
Input data from Form
Cookies
Server Variables
Database query results
Functions and filters
To filter variables, use one of the following filter functions:
Filter_var ()-filter a single variable using a specified filter
Filter_var_array ()-filter multiple variables using the same or different filters
Filter_input-Get an input variable and filter it
Filter_input_array-obtain multiple input variables and filter them using the same or different filters.
In the following example, we use the filter_var () function to verify an integer:CopyCodeThe Code is as follows: <? PHP
$ Int = 123;
If (! Filter_var ($ int, filter_validate_int ))
{
Echo ("integer is not valid ");
}
Else
{
Echo ("integer is valid ");
}
?>
The above Code uses the "filter_validate_int" filter to filter variables. Because this integer is valid, the output of the Code is: "integer is valid ".
If we try to use a non-integer variable, the output is: "integer is not valid ".
For a complete list of functions and filters, visit our PHP filter reference manual.
Validating and sanitizing
There are two filters:
Validating filter:
Used to verify user input
Strict format rules (such as URL or email verification)
Returns the expected success type. Otherwise, false is returned.
Sanitizing filter:
Allows or disables specified characters in a string.
No data format rules
Always Returns a string
Options and flag
The options and flag are used to add additional filter options to the specified filter.
Different filters have different options and logos.
In the following example, we use the filter_var (), "min_range", and "max_range" options to verify an integer:Copy codeThe Code is as follows: <? PHP
$ Var = 300;
$ Int_options = array (
"Options" => Array
(
"Min_range" => 0,
& Quot; max_range & quot; = & quot; 256 & quot;
)
);
If (! Filter_var ($ var, filter_validate_int, $ int_options ))
{
Echo ("integer is not valid ");
}
Else
{
Echo ("integer is valid ");
}
?>
Just like the code above, the options must be placed in a related array named "options. If a flag is used, it does not need to be in the array.
Because the integer is "300", it is not in the specified atmosphere, the output of the above Code will be "integer is not valid ".
For a complete list of functions and filters, visit the PHP filter reference manual provided by w3school. You can see the available options and logos for each filter.
Verification Input
Let's try to verify the input from the form.
The first thing we need to do is to confirm whether the input data we are looking for exists.
Then we use the filter_input () function to filter input data.
In the following example, the input variable "email" is uploaded to the PHP page:Copy codeThe Code is as follows: <? PHP
If (! Filter_has_var (input_get, "email "))
{
Echo ("input type does not exist ");
}
Else
{
If (! Filter_input (input_get, "email", filter_validate_email ))
{
Echo "E-mail is not valid ";
}
Else
{
Echo "E-mail is valid ";
}
}
?>
Example:
In the above example, an input variable (email) transmitted through the "get" method is as follows ):
Check whether "get" type "email" input variables exist
If a variable exists, check whether it is a valid email address.
Purify Input
Let's try to clear the URL from the form.
First, check whether the input data we are searching for exists.
Then, we use the filter_input () function to purify the input data.
In the following example, the input variable "url" is uploaded to the PHP page:Copy codeThe Code is as follows: <? PHP
If (! Filter_has_var (input_post, "url "))
{
Echo ("input type does not exist ");
}
Else
{
$ Url = filter_input (input_post,
"Url", filter_sanitize_url );
}
?>
Example:
In the above example, there is an input variable (URL) transmitted through the "post" method ):
Check whether there is a "post" type "url" input variable
If this input variable exists, purify it (delete invalid characters) and store it in the $ URL variable
If the input variable is similar to the following: "http: // www. W3 # $ % s ^ % $ # ool.com.cn/", the $ URL variable after cleaning should be like this:
Http://www.w3school.com.cn/filter multiple inputs
A form is usually composed of multiple input fields. To avoid repeated calls to filter_var or filter_input, we can use filter_var_array or the filter_input_array function.
In this example, we use the filter_input_array () function to filter three get variables. The get variable received is a name, an age, and an email address:Copy codeThe Code is as follows: <? PHP
$ Filters = Array
(
"Name" => Array
(
"Filter" => filter_sanitize_string
),
"Age" => Array
(
"Filter" => filter_validate_int,
"Options" => Array
(
"Min_range" => 1,
& Quot; max_range & quot; = & quot; 120 & quot;
)
),
"Email" => filter_validate_email,
);
$ Result = filter_input_array (input_get, $ filters );
If (! $ Result ["Age"])
{
Echo ("age must be a number between 1 and 120. <br/> ");
}
Elseif (! $ Result ["email"])
{
Echo ("e-mail is not valid. <br/> ");
}
Else
{
Echo ("user input is valid ");
}
?>
Example:
In the above example, there are three input variables (name, age and email) transmitted through the "get" method)
Sets an array containing the name of the input variable and the filter used for the specified input variable.
Call the filter_input_array function. parameters include get input variables and the array you just set.
Checks whether the "Age" and "email" variables in the $ result variable contain invalid input. (If illegal input exists ,)
The second parameter of the filter_input_array () function can be the ID of an array or a single filter.
If this parameter is the ID of a single filter, the specified filter filters all values in the input array.
If this parameter is an array, the array must follow the following rules:
It must be an associated array, and the input variable contained in it is the key of the array (for example, "Age" input variable)
The value of this array must be the ID of the filter, or an array that specifies the filter, flag, and options.
Use filter callback
By using the filter_callback filter, you can call a custom function and use it as a filter. In this way, we have full control over data filtering.
You can create your own custom functions or use existing PHP functions.
You are required to use the filter function, which is the same as the method of the specified option.
In the following example, we use a custom function to convert all "_" to spaces:Copy codeThe Code is as follows: <? PHP
Function convertspace ($ string)
{
Return str_replace ("_", "", $ string );
}
$ String = "peter_is_a_great_guy! ";
Echo filter_var ($ string, filter_callback,
Array ("options" => "convertspace "));
?>
The result of the above Code is as follows:
Peter is a great guy! Example:
In the preceding example, convert all "_" into spaces:
Create a function that replaces "_" with spaces.
Call the filter_var () function. Its parameter is the filter_callback filter and the array containing our function.