PHP filters are used to validate and filter data from non-secure sources, such as user input.
PHP filters are used to validate and filter data from non-secure sources.
Validating and filtering user input or custom data is an important part of any web application.
Filter extensions for PHP are designed to make data filtering easier and faster.
Almost all web applications rely on external input. This data usually comes from users or other applications (such as web services). By using filters, you can ensure that your application gets the correct input type.
You should always filter external data!
Input filtering is one of the most important application security topics.
To filter variables, use one of the filter functions below:
In the example below, we validate an integer using the filter_var() function:
<?php
$int = 123;
if(!<code>filter_var($int, FILTER_VALIDATE_INT)</code>)
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?>The above code uses the "FILTER_VALIDATE_INT" filter to filter variables. Since this integer is legal, the output of the code is: "Integer is valid".
If we try to use a non-integer variable, the output is: "Integer is not valid".
For a complete list of functions and filters, visit our PHP Filter Reference Manual.
There are two types of filters:
Options and flags are used to add additional filtering options to the specified filter.
Different filters have different options and flags.
In the example below, we validate an integer using filter_var() with the "min_range" and "max_range" options:
<?php
$var=300;
<span class="marked">
$int_options = array(
"options"=>array
(
"min_range"=>0,
"max_range"=>256
)
);
if(!<code>filter_var($var, FILTER_VALIDATE_INT, $int_options)</code>)
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?>Just like the code above, the options must be put into a related array called "options". If using flags, they don't need to be in an array.
Since the integer is "300", which is not within the specified range, the output of the above code will be "Integer is not valid".
For a complete list of functions and filters, please visit the PHP Filter Reference Manual provided by W3School. You can see the available options and flags for each filter.
Let's try to validate the input from the form.
The first thing we need to do is confirm that the input data we are looking for exists.
Then we use the filter_input() function to filter the input data.
In the example below, the input variable "email" is passed to the PHP page:
<?php
if(!filter_has_var(INPUT_GET, "email"))
{
echo("Input type does not exist");
}
else
{
if (!<code>filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL)</code>)
{
echo "E-Mail is not valid";
}
else
{
echo "E-Mail is valid";
}
}
?>The example above has an input variable (email) passed via the "GET" method:
Let’s try to clean up the URL passed from the form.
First, we want to confirm that the input data we are looking for exists.
Then, we use the filter_input() function to purify the input data.
In the example below, the input variable "url" is passed to the PHP page:
<?php
if(!filter_has_var(INPUT_POST, "url"))
{
echo("Input type does not exist");
}
else
{
$url = <code>filter_input(INPUT_POST, "url", FILTER_SANITIZE_URL)</code>;
}
?>The example above has an input variable (url) passed via the "POST" method:
If the input variable is similar to this: "http://www.W3 illegal ol.com.c character n/", then the purified $url variable should be like this:
http://www.W3School.com.cn/
表单通常由多个输入字段组成。为了避免对 filter_var 或 filter_input 重复调用,我们可以使用 filter_var_array 或 the filter_input_array 函数。
在本例中,我们使用 filter_input_array() 函数来过滤三个 GET 变量。接收到的 GET 变量是一个名字、一个年龄以及一个邮件地址:
<?php
<span class="marked">$filters = array
(
"name" => array
(
"filter"=>FILTER_SANITIZE_STRING
),
"age" => array
(
"filter"=>FILTER_VALIDATE_INT,
"options"=>array
(
"min_range"=>1,
"max_range"=>120
)
),
"email"=> FILTER_VALIDATE_EMAIL,
);
$result = <code>filter_input_array(INPUT_GET, $filters)</code>;(array(3) { ["name"]=> string(1) "1" ["age"]=> bool(false) ["email"]=> string(8) "1@qq.com" })
if (!$result["age"])
{
echo("Age must be a number between 1 and 120.<br />");
}
elseif(!$result["email"])
{
echo("E-Mail is not valid.<br />");
}
else
{
echo("User input is valid");
}
?>上面的例子有三个通过 "GET" 方法传送的输入变量 (name, age and email)
filter_input_array() 函数的第二个参数可以是数组或单一过滤器的 ID。
如果该参数是单一过滤器的 ID,那么这个指定的过滤器会过滤输入数组中所有的值。
如果该参数是一个数组,那么此数组必须遵循下面的规则:
通过使用 FILTER_CALLBACK 过滤器,可以调用自定义的函数,把它作为一个过滤器来使用。这样,我们就拥有了数据过滤的完全控制权。
您可以创建自己的自定义函数,也可以使用已有的 PHP 函数。
规定您准备用到过滤器函数的方法,与规定选项的方法相同。
在下面的例子中,我们使用了一个自定义的函数把所有 "_" 转换为空格:
<?php
<span class="marked">function convertSpace($string)
{
return str_replace("_", " ", $string);
}
$string = "Peter_is_a_great_guy!";
echo <code>filter_var($string, FILTER_CALLBACK, array("options"=>"convertSpace"));
?>以上代码的结果是这样的:
Peter is a great guy!
上面的例子把所有 "_" 转换成空格:
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
