PHP 5 Advanced: Visual QuickPro Guide/Page 2

[previous] [next]

Security Techniques: Part 2

To use PECL Filter

1. Begin a new PHP script in your text editor or IDE, starting with the HTML (Script 4.2).
   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>Filter</title> <style type="text/css" title="text/css" media="all"> .error { color: #F30; } </style> </head> <body> <?php # Script 4.2 - filter.php

   The script has one CSS class for printing errors in a different color.

   Script 4.2. With this minimalist registration form, the Filter library is used to perform data validation and sanitization.

   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="content-type" content="text/html; charset=iso-8859-1" /> <title>Filter</title> <style type="text/css" title="text/css" media="all"> .error { color: #F30; } </style> </head> <body> <?php # Script 4.2 - filter.php /* This page uses the Filter functions * to validate form data. * This page will print out the filtered data. */ if (isset($_POST['submitted'])) { // Handle the form. // Sanitize the name: $name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES); if ($name) { echo "<p>Name: $name<br />\$_POST['name']: {$_POST['name']}</p>\n"; } else { echo '<p class="error">Please enter your name.</p>'; } // Validate the email address using FILTER_VALIDATE_EMAIL: $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); if ($email) { echo "<p>Email Address: $email</p>\n"; } else { echo '<p class="error">Please enter your email address.</p>'; } // Validate the ICQ number using FILTER_VALIDATE_INT: $icq = filter_input(INPUT_POST, 'icq', FILTER_VALIDATE_INT); if ($icq) { echo "<p>ICQ Number: $icq</p>\n"; } else { echo '<p class="error">Please enter your ICQ number.</p>'; } // Strip tags but don't encode quotes: $comments = filter_input(INPUT_POST, 'comments', FILTER_SANITIZE_STRING); if ($comments) { echo "<p>Comments: $comments<br />\$_POST['comments']: {$_POST['comments']}</p>\n"; } else { echo '<p class="error">Please enter your comments.</p>'; } } // End of $_POST['submitted'] IF. // Show the form. ?> <form method="post" action="filter.php"> <fieldset> <legend>Registration Form</legend> <p>Name: <input type="text" name="name" /></p> <p>Email Address: <input type="text" name="email" /></p> <p>ICQ Number: <input type="text" name="icq" /></p> <p>Comments: <textarea name="comments" rows="5" cols="40"></textarea></p> <input type="hidden" name="submitted" value="true" /> <input type="submit" name="submit" value="Submit" /> </fieldset> </form> </body> </html>

2. Check for the form submission.
   if (isset($_POST['submitted'])) {

3. Filter the name data.
   $name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING, FILTER_FLAG_NO_ENCODE_QUOTES);

   For the name field, there's no type to validate against, but it can be filtered to remove any HTML tags. The FILTER_SANITIZE_STRING filter will accomplish that. The last argument, FILTER_FLAG_NO_ENCODE_QUOTES, says that any quotation marks in the name (e.g., O'Toole) shouldn't be turned into an HTML entity equivalent.

4. Print the name value or an error.
   if ($name) { echo "<p>Name: $name<br/>\$_POST['name']: {$_POST['name']}</p>\n"; } else { echo '<p class="error">Please enter your name.</p>'; }

   The conditional if ($name) will be true if the $_POST['name'] variable was set and passed the filter. In that case, I'll print the filtered version and the original version, just for comparison.

5. Validate the email address.
   $email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL); if ($email) { echo "<p>Email Address: $email</p>\n"; } else { echo '<p class="error">Please enter your email address.</p>'; }

   The FILTER_VALIDATE_EMAIL filter is perfect here. If the submitted email address has a valid format, it will be returned. Otherwise, $email will equal either FALSE or NULL.

6. Validate the ICQ number.
   $icq = filter_input(INPUT_POST, 'icq', FILTER_VALIDATE_INT); if ($icq) { echo "<p>ICQ Number: $icq</p>\n"; } else { echo '<p class="error">Please enter your ICQ number.</p>'; }

   This is validated as an integer.

7. Filter the comments field.
   $comments = filter_input(INPUT_POST, 'comments', FILTER_SANITIZE_STRING); if ($comments) { echo "<p>Comments: $comments<br/>\$_POST['comments']: {$_POST['comments']}</p>\n"; } else { echo '<p class="error">Please enter your comments.</p>'; }

   For the comments, any tags will be stripped (as with the name), but the quotation marks will also be encoded.

8. Complete the main conditional and the PHP code.
   } // End of $_POST['submitted'] IF. ?>

9. Create the HTML form.
   <form method="post" action="filter.php"> <fieldset> <legend>Registration Form</legend> <p>Name: <input type="text" name="name" /></p> <p>Email Address: <input type="text" name="email" /></p> <p>ICQ Number: <input type="text" name="icq" /></p> <p>Comments: <textarea name="comments" rows="5" cols="40"></textarea></p> <input type="hidden" name="submitted" value="true" /> <input type="submit" name="submit" value="Submit" /> </fieldset> </form>

10. Complete the page.
    </body> </html>
11. Save the file as filter.php, place it in your Web directory, and test in your Web browser (Figures 4.5 and 4.6).

    
    Figure 4.5 These values will be submitted, then filtered, resulting in Figure 4.6.

    
    Figure 4.6 At the top of the form the filtered values are displayed.

12. View the HTML source of the page to see how the name and comments fields were treated (Figure 4.7).

    
    Figure 4.7 The HTMLsource code shows how all tags are stripped from the name and comments fields, plus how quotation marks in the comments are encoded.

TIPS

• The filter_has_var() function checks to see if a variable with a given name exists within a greater array of variables. In this script, you could use this code to see if the form has been submitted:
  if (filter_has_var(INPUT_POST, 'submitted')) {

• To filter an array of variables, use filter_input_array(). In filter.php, you could just do this:

  $filters = array( 'name' => FILTER_SANITIZE_STRING, 'email' => FILTER_VALIDATE_EMAIL, 'icq' => FILTER_VALIDATE_INT, 'comments' => array('filter' => FILTER_SANITIZE_STRING, 'flags' => FILTER_FLAG_NO_ENCODE_QUOTES) ); $data = filter_input_array (INPUT_POST, $filters);

  From that point, you could just refer to $data['name'], etc.

• The filter_var_array() applies a filter, or an array of filters, to an array of data.

[previous] [next]

URL: