YouTip LogoYouTip

Php Filter

* * * PHP filters are used to validate and filter data from insecure sources, such as user input. * * * ## What Are PHP Filters? PHP filters are used to validate and filter data from insecure sources. Testing, validating, and filtering user input or custom data is an essential part of any web application. The PHP Filter extension is designed to make data filtering easier and faster. * * * ## Why Use Filters? Almost all web applications rely on external input. This data usually comes from users or other applications (e.g., web services). By using filters, you can ensure your application receives the correct input type. **You should always filter external data!** Input filtering is one of the most critical application security topics. What is external data? * Input data from forms * Cookies * Web services data * Server variables * Database query results * * * ## Functions and Filters To filter a variable, use one of the following filter functions: * filter_var() - Filters a single variable with a specified filter * filter_var_array() - Filters multiple variables with the same or different filters * filter_input - Gets an input variable and filters it * filter_input_array - Gets multiple input variables and filters them with the same or different filters In the example below, we use the filter_var() function to validate an integer: ## Example The code above uses the "FILTER_VALIDATE_INT" filter to filter the variable. Since this integer is valid, the code above will output: !( If we try using a non-integer variable (e.g., "123abc"), the output will be: "Integer is not valid". For a complete list of functions and filters, please visit our ( * * * ## Validating and Sanitizing There are two types of filters: Validating filters: * Used to validate user input * Strict formatting rules (e.g., URL or email validation) * Return the expected type on success, FALSE on failure Sanitizing filters: * Used to allow or disallow specified characters in a string * No data formatting rules * Always return a string * * * ## Options and Flags Options and flags are used to add extra filtering options to a specified filter. Different filters have different options and flags. In the example below, we use filter_var() with the "min_range" and "max_range" options to validate an integer: ## Example array("min_range"=>0, "max_range"=>256)); if(!filter_var($var, FILTER_VALIDATE_INT, $int_options)){echo("is not a valid integer); }else{echo("is a valid integer); }?> As shown in the code above, options must be placed inside an associative array named "options". If using flags, they do not need to be placed inside an array. Since the integer is "300", which falls outside the specified range, the output of the above code will be: is not a valid integer For a complete list of functions and filters, please visit our ( You can see the available options and flags for each filter. * * * ## Validating Input Let’s try validating input from a form. The first thing we need to do is confirm whether the input data we’re looking for exists. Then we filter the input data using the filter_input() function. In the example below, the input variable "email" is passed to the PHP page: ## Example The test result of the above example is as follows: !( ## Example Explanation The example above has an input variable (email) sent via the "GET" method: 1. Check whether a "GET"-type "email" input variable exists 2. If the input variable exists, check whether it is a valid email address * * * ## Sanitizing Input Let’s try sanitizing a URL submitted from a form. First, we need to confirm whether the input data we’re looking for exists. Then, we sanitize the input data using the filter_input() function. In the example below, the input variable "url" is passed to the PHP page: ## Example Explanation The example above has an input variable (url) sent via the "GET" method: 1. Check whether a "GET"-type "url" input variable exists 2. If the input variable exists, sanitize it (remove illegal characters) and store it in the $url variable If the input variable is a string like: "http://www.ruΓ₯Γ₯noΓΈΓΈob.com/", then the sanitized $url variable will look like this: !( * * * ## Filtering Multiple Inputs Forms typically consist of multiple input fields. To avoid repeatedly calling the filter_var or filter_input functions, we can use the filter_var_array or filter_input_array functions. In this example, we use the filter_input_array() function to filter three GET variables. The received GET variables are a name, an age, and an email address: ## Example array("filter"=>FILTER_SANITIZE_STRING), "age" =>array("filter"=>FILTER_VALIDATE_INT, "options"=>array("min_range"=>1, "max_range"=>120)), "email"=>FILTER_VALIDATE_EMAIL); $result = filter_input_array(INPUT_GET, $filters); if(!$result){echo("Age must be between 1 and 120.
"); }elseif(!$result){echo("E-Mail Invalid
"); }else{echo("Input is correct); }?> ## Example Explanation The example above has three input variables (name, age, and email) sent via the "GET" method: 1. Set up an array containing the names of the input variables and the filters to apply to each specified input variable 2. Call the filter_input_array() function, passing the GET input variables and the previously defined array 3. Check whether the "age" and "email" variables in the $result variable contain invalid input. (If invalid input exists, the input variables become FALSE after using the filter_input_array() function.) The second parameter of the filter_input_array() function can be either an array or a single filter ID. If this parameter is a single filter ID, that specified filter will filter all values in the input array. If this parameter is an array, the array must follow these rules: * It must be an associative array where the input variable names are keys in the array (e.g., the "age" input variable) * The values of this array must be either filter IDs, or arrays specifying filters, flags, and options * * * ## Using Filter Callback By using the FILTER_CALLBACK filter, you can invoke a custom function and use it as a filter. This gives you full control over data filtering. You can create your own custom function, or use existing PHP functions. Specify the filtering function you intend to use according to the required option format. In an associative array, it must be named "options". In the example below, we use a custom function to replace all "_" characters with ".": ## Example "convertSpace")); ?> The result of the code above is as follows: !( ## Example Explanation The example above replaces all "_" characters with ".": 1. Create a function that replaces "_" with "." 2. Call the filter_var() function, passing the FILTER_CALLBACK filter and an array containing our function
← Php Mysql IntroPhp Exception β†’