在PHP 5.2最新版本中,在对输入检查的函数方面,多了新的功能,默认是开启的,减少了很多写代码的工作量
,在IBM DW的
http://www.ibm.com/developerworks/cn/opensource/os-php-v522/index.html上有很好的介绍,下面笔记并补充之
过滤扩展功能有两种过滤器:Sanitizing 和 Logical。
Sanitizing 过滤器只是允许或禁止字符串中的字符并将清理后的字符串作为结果返回。无论您将哪种数据格式传入这些函数,它们将始终返回字符串。对于特定类型的使用,这是至关重要的,因为您可以阻止用户发送不适当的输入并导致异常结果。例如,用户可以发现文本块的输入被返回到以下页面上并且要利用那些返回信息。如果清理输入,则将删除输入的所有危险部分。
Logical 过滤器将对变量执行测试并根据测试提供 true 或 false 结果。然后您可以使用结果来决定如何处理数据或获得用户的地址。这种过滤器的简单示例是验证年龄。逻辑测试还可以针对类似 Perl 的正则表达式进行测试。
<?php
echo "You are " . filter_var($_GET['1'], FILTER_SANITIZE_STRING) . ".<br>\n";
echo "Your favorite color is " . filter_var($_GET['2'], FILTER_SANITIZE_STRING) .
".<br>\n";
echo "The airspeed of an unladen swallow is " . filter_var($_GET['3'], FILTER_SANITIZE_STRING)
. ".<br>\n";
?>
用 filter_var()
函数来清理输入并使其有效并且安全。在这种情况下,使用选项 FILTER_SANITIZE_STRING
,该选项将获取输入、删除所有 HTML 标记并选择性地编码或删除特定字符。
由于它将除去 HTML 标记,因此尝试运行 JavaScript 将失败,并且从脚本中获得更适当的结果。
再补充些
PHP: indicates the earliest version of PHP that supports the function.
Function Description PHP
Checks if a variable of a specified input type exist | 5 | |
Returns the ID number of a specified filter | 5 | |
Get input from outside the script and filter it | 5 | |
Get multiple inputs from outside the script and filters them | 5 | |
Returns an array of all supported filters | 5 | |
Get multiple variables and filter them | 5 | |
Get a variable and filter it | 5 |
PHP Filters
ID Name Description
Call a user-defined function to filter data | |
Strip tags, optionally strip or encode special characters | |
Alias of "string" filter | |
URL-encode string, optionally strip or encode special characters | |
HTML-escape '"<>& and characters with ASCII value less than 32 | |
Remove all characters, except letters, digits and !#$%&'*+-/=?^_`{|}~@.[] | |
Remove all characters, except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&= | |
Remove all characters, except digits and +- | |
Remove all characters, except digits, +- and optionally .,eE | |
Apply addslashes() | |
Do nothing, optionally strip or encode special characters | |
Validate value as integer, optionally from the specified range | |
Return TRUE for "1", "true", "on" and "yes", FALSE for "0", "false", "off", "no", and "", NULL otherwise | |
Validate value as float | |
Validate value against regexp, a Perl-compatible regular expression | |
Validate value as URL, optionally with required components | |
Validate value as e-mail | |
Validate value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges |
检测判断的例子
1 | <html> |
2 | <head></head> |
3 | <body |
4 | "example04.php" method="post" |
5 | "age" size="2"> |
6 | "submit" name="submit" value="Go"> |
7 | </form> |
8 | </body> |
9 | </html> |
view plain | print | copy to clipboard | ? |
处理脚本:
1 | <?php |
2 | if (!filter_has_var(INPUT_POST, 'submit')) { |
3 | echo "form"; |
4 | // include the form. |
5 | } |
6 | |
7 | $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT); |
8 | if (is_null($age)) { |
9 | echo "The 'age' field is required.<br />"; |
10 | } elseif ($age |
11 | echo "Please enter a valid age.<br />"; |
12 | } else |
13 | echo "Welcome.<br/>"; |
14 | } |
15 | ?> |
view plain | print | copy to clipboard | ? |
filter_has_var检测给定的变量是否存在。它不会做任何处理只会告诉程序变量是否已经设置。相当于isset($_POST[‘submit’])。filter_input会取得一个变量返回处理好的数据。在上面的例子中会返回一个整数。
如果是要返回一个处于一定范围之内的值,假设是7-77岁之间的人。可以指定一个最大值和一个最小值。
1 | <?php |
2 | if (!filter_has_var(INPUT_POST, 'submit')) { |
3 | echo "form"; |
4 | // include the form. |
5 | } |
6 | $options = array('options'=> array('min_range'=>7, 'min_range'=>77)); |
7 | $age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT, $options); |
8 | |
9 | if (is_null($age)) { |
10 | echo "The 'age' field is required.<br />"; |
11 | } elseif ($age |
12 | echo "You must be enter a valid age and be between 7 and 77 years old.<br />"; |
13 | } else |
14 | echo "Welcome.<br/>"; |
15 | } |
16 | ?> |
view plain | print | copy to clipboard | ? |
如果是要判断一个有效的邮件地址的话,可以这样:
1 | $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); |
view plain | print | copy to clipboard | ? |
如果邮件地址不正确或者是空的话$email的值将为FALSE。
过滤判断的例子
1 | <html> |
2 | <head></head> |
3 | <body> |
4 | "example05.php" method="post" |
5 | "name" size="50"> |
6 | "submit" name="submit" value="Go"> |
7 | </form> |
8 | </body> |
9 | </html> |
view plain | print | copy to clipboard | ? |
下面的filter_input函数将自动过滤并返回适当的值:
1 | <?php |
2 | if (!filter_has_var(INPUT_POST, 'submit')) { |
3 | echo "form"; |
4 | // include the form. |
5 | } |
6 | $name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_SPECIAL_CHARS); |
7 | if (is_null($name)) { |
8 | echo "The 'name' field is required.<br />"; |
9 | } else |
10 | echo "Hello $name.<br/>"; |
11 | } |
12 | ?> |
view plain | print | copy to clipboard | ? |
如果接收到的name值是:
FILTER_SANITIZE_SPECIAL_CHARS 将会返回:
一个更好的过滤写法:
1 | $name |
2 | 'name', |
3 | FILTER_SANITIZE_STRING, |
4 | FILTER_FLAG_ENCODE_HIGH|FILTER_FLAG_ENCODE_LOW); |
view plain | print | copy to clipboard | ? |
输出:
Hello Johnny Weißmüller Jr.
这里的函数还有很多选项,如果你想了解更多的细节可以查看Filter的文档。
如何一次处理所有输入?
1 | <html> |
2 | <head></head> |
3 | <body |
4 | "example07.php" method="post" |
5 | "name" size="50"><br /> |
6 | "email" size="50"><br /> |
7 | "homepage" size="50"><br /> |
8 | "age" size="4"><br /> |
9 | "income" size="50"><br /> |
10 | Your two favourites languages: |
11 | "favourites[]" size="6" |
12 | "haskell">haskell</option> |
13 | "r">R</option> |
14 | "lua">Lua</option> |
15 | "pike">Pike</option> |
16 | "rebol">Rebol</option> |
17 | "php">PHP</option> |
18 | </select><br /> |
19 | "submit" name="submit" value="Go"> |
20 | </form> |
21 | </body> |
22 | </html> |
view plain | print | copy to clipboard | ? |
处理程序:
1 | <?php |
2 | if (!filter_has_var(INPUT_POST, 'submit')) { |
3 | echo "form"; |
4 | // include the form. |
5 | } |
6 | |
7 | $defs = array( |
8 | 'name' => array('filter'=>FILTER_SANITIZE_STRING, |
9 | 'flags' |
10 | 'email' |
11 | 'homepage' |
12 | 'age' => array( 'filter' |
13 | 'options'=> array('min_range'=>7, 'min_range'=>77)), |
14 | 'income' |
15 | 'favourites' => array( |
16 | 'filter' |
17 | 'flags' |
18 | ), |
19 | ); |
20 | |
21 | $input = filter_input_array(INPUT_POST, $defs); |
22 | |
23 | if ($input['age'] === FALSE) { |
24 | exit("You must be between 7 and 77 years old."); |
25 | } |
26 | |
27 | if (is_null($input['favourites'])) { |
28 | exit("You have to choose two or more languages."); |
29 | } |
30 | |
31 | if (!in_array('PHP', $inputs['favourites'])) { |
32 | exit("You don't like PHP!"); |
33 | } |
34 | |
35 | /*Other checks for required values */ |
36 | ?> |
view plain | print | copy to clipboard | ? |
正如上面例子中的,通过一个函数就能处理所有的变量。唯一不同的就是事先定义一个对应的数组。需要注意的是数组中选项的正确性。
这样的做法不但增加了程序的易读性,并且如果要添加移除或者修改处理规则也会非常方便。
更复杂的处理
在下面的处理“favourites”变量时用到了用户自定义函数。"options"指定一个用户自定义函数通过定义callback来实现,语法和PHP的call_user_func一样。
1 | <?php |
2 | class |
3 | function __construct($name) { |
4 | $this->name = $name; |
5 | } |
6 | } |
7 | |
8 | function check_languages($var) { |
9 | static $called |
10 | $called++; |
11 | echo "called: $called: $var<br />"; |
12 | $var = filter_var($var, FILTER_SANITIZE_STRIPPED); |
13 | $l = new language($var); |
14 | return $l; |
15 | } |
16 | |
17 | if (!filter_has_var(INPUT_POST, 'submit')) { |
18 |