PHP filters are used to validate and filter data from non-secure sources, such as user input.
What is a PHP filter?
PHP filters are used to validate and filter data from non-secure sources.
Validating and filtering user input or custom data is an important part of any web application.
The purpose of designing a PHP filter extension is to make data filtering easier and faster.
Why use filters?
Almost all web applications rely on external input. These data are usually from users or other applications (such as web services). By using filters, you can ensure that your program should have the correct type of input.
You should always filter external data!
Input filtering is one of the most important application security issues.
What is external data?
Input data from the form
Cookies
Server Variables Database Query Results Functions and Filters To filter variables, use one of the following filter functions:
filter_var () - Filters a single variable with a specified filter
filter_var_array () - Filters multiple variables with the same or different filters
filter_input - Get an input variable and filter it
filter_input_array - Get multiple input variables and filter them through the same or different filters In the following example, we validate an integer using the filter_var () function:
<? php
$ int = 123;
if (! filter_var ($ int, FILTER_VALIDATE_INT))
{
echo ("Integer is not valid");
}
else
{
echo ("Integer is valid");
}
?>
The above code uses the "FILTER_VALIDATE_INT" filter to filter variables. Since this integer is legal, the output of the code is: "Integer is valid".
If we try to use a non-integer variable, the output is: "Integer is not valid".
Validating and Sanitizing
There are two filters:
Validating filter:
Used to validate user input strict formatting rules (such as URL or E-Mail authentication)
Returns the type if successful, otherwise returns FALSE
Sanitizing filter:
Used to allow or prohibit characters specified in a string No data Format Rules Always return string options and flags Options and flags are used to add additional filtering options to the specified filter.
Different filters have different options and logos.
In the following example, we validate an integer with the filter_var () and min_range and max_range options:
<? php
$ var = 300;
$ int_options = array (
"options" => array
(
"min_range" => 0,
"max_range" => 256
)
);
if (! filter_var ($ var, FILTER_VALIDATE_INT, $ int_options))
{
echo ("Integer is not valid");
}
else
{
echo ("Integer is valid");
}
?>
Like the code above, the options must be placed in a related array named "options." If you use flags, you do not need to be inside the array.
Since the integer is "300", it is not within the specified ambience and the output of the above code will be "Integer is not valid".
For a complete list of functions and filters, visit the PHP Filter Reference Manual available from W3Schools. You can see the available options and logos for each filter.
Validation Input Let's try to validate the input from the form.
The first thing we need to do is confirm whether there is input data that we are looking for.
Then we use the filter_input () function to filter the input data.
In the following example, the input variable "email" is passed to the PHP page:
<? php
if (! filter_has_var (INPUT_GET, "email"))
{
echo ("Input type does not exist");
}
else
{
if (! filter_input (INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
{
echo "E-Mail is not valid";
}
else
{
echo "E-Mail is valid";
}
}
?>
Example explanation:
The example above has an input variable (email) sent via the "GET" method:
Detects the existence of a "GET" type "email" input variable Detects if it is a valid email address if an input variable exists Purging input Let's try to clean up the URL coming from the form.
First, we want to confirm whether there is input data we are looking for.
Then, we use the filter_input () function to purify the input data.
In the following example, the input variable "url" is passed to the PHP page:
<? php
if (! filter_has_var (INPUT_POST, "url"))
{
echo ("Input type does not exist");
}
else
{
$ url = filter_input (INPUT_POST,
"url", FILTER_SANITIZE_URL);
}
?>
Example explanation:
The above example has an input variable (url) passed through the "POST" method:
Detects the existence of a "POST" type "url" input variable If this input variable exists, purifies it (deletes illegal characters) and stores it in the $ url variable If the input variable looks like this: "http: // www .W3 # $% S ^% $ # ool.com.cn/ ", then the purified $ url variable should look like this:
http://www.jzread.com/
Filtering multiple input forms usually consists of multiple input fields. To avoid repeated calls to filter_var or filter_input, we can use filter_var_array or the filter_input_array function.
In this case, we use the filter_input_array () function to filter the three GET variables. The received GET variable is a name, an age, and an email address:
<? php
$ filters = array
(
"name" => array
(
"filter" => FILTER_SANITIZE_STRING
),
"age" => array
(
"filter" => FILTER_VALIDATE_INT,
"options" => array
(
"min_range" => 1,
"max_range" => 120
)
),
"email" => FILTER_VALIDATE_EMAIL,
);
$ result = filter_input_array (INPUT_GET, $ filters);
if (! $ result ["age"])
{
echo ("Age must be a number between 1 and 120. <br />");
}
elseif (! $ result ["email"])
{
echo ("E-Mail is not valid. <br />");
}
else
{
echo ("User input is valid");
}
?>
Example explanation:
The above example has three input variables (name, age and email) passed through the "GET" method
Set an array containing the name of the input variable and the filter for the specified input variable Call the filter_input_array function, which includes the GET input variable and the array you just set Check the "age" and "email" variables in the $ result variable Is there any illegal input? (If there is illegal input)
The second argument to the filter_input_array () function can be an array or a single filter ID.
If this parameter is the ID of a single filter, then this specified filter will filter all the values in the input array.
If this parameter is an array, then this array must follow the following rules:
Must be an associative array containing the input variables that are the keys of the array (such as the "age" input variable)
The value of this array must be the ID of the filter, or an array of filters, flags, and options. Use the Filter Callback
By using the FILTER_CALLBACK filter, you can call a custom function to use it as a filter. In this way, we have complete control over data filtering.
You can create your own custom functions or use existing PHP functions.
The function that specifies the filter you are going to use, is the same as specifying the options.
In the following example, we use a custom function to convert all "_" to spaces:
<? php
function convertSpace ($ string)
{
return str_replace ("_", "", $ string);
}
$ string = "Peter_is_a_great_guy!";
echo filter_var ($ string, FILTER_CALLBACK,
array ("options" => "convertSpace"));
?>
The result of the above code is this:
Peter is a great guy!
Example explanation:
The above example translates all "_" into spaces:
Create a function that calls "__" with a space call to the filter_var () function whose parameters are the FILTER_CALLBACK filter and an array containing our function