PHP 5 Advanced: Visual QuickPro Guide | 2
[next]
Security Techniques: Part 2
[Excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman. Copyright © 2007. Used with permission of Pearson Education, Inc. and Peachpit Press.]
Using PECL Filter
New in PHP 5 and quite promising is the Filter library of PECL code. Being developed by PHP's creator and other major contributors, the future of Filter looks bright, even though it's still in beta form (at the time of this writing). The Filter package provides two types of security:
- Data validation by type
- Data sanitization
What Filter offers is a unified interface for performing common types of validation and sanitization. For example, I might commonly use code like this:
I could instead do this:
That might look like jabberwocky, but once you get the hang of Filter, the amount of work you can do in just a line of code will be worth the learning curve.
To filter individual variables, there are two functions you'll use: filter_input()
and filter_var()
. The first one is for working with variables coming from an outside source, like forms, cookies, sessions, and the server. The second is for variables within your own code. I'll focus on filter_input()
here. Its syntax is:
The sources, which the PHP manual calls "types," are: INPUT_GET
, INPUT_POST
, INPUT_COOKIE
, INPUT_SERVER
, INPUT_ENV
, INPUT_SESSION
, and INPUT_REQUEST
. As you can probably guess, each of these corresponds to a global variable ($_GET
, $_POST
, etc.). For example, if a page receives data in the URL, you'd use INPUT_GET
(not $_GET
).
The second argument—the variable name—is the specific variable within the source that should be addressed. The $filter
argument indicates the filter to apply, using the constants in Table 4.2. This argument is optional, as a default filter will be used if none is specified. Some filters also take options, like the FILTER_VALIDATE_INT
in the preceding example (which can take a range).
Filters by Name
Table 4.2. These constants represent some of the filters that can be applied to data. For a complete list, see the PHP manual or invoke the filter_list()
function.
Constant Name | Action |
FILTER_VALIDATE_INT |
Confirms an integer, optionally in a range |
FILTER_VALIDATE_FLOAT |
Confirms a float |
FILTER_ VALIDATE_REGEXP |
Matches a PCRE pattern |
FILTER_ VALIDATE_URL |
Matches a URL |
FILTER_ VALIDATE_EMAIL |
Matches an email address |
FILTER_SANITIZE_STRING |
Strips tags |
FILTER_SANITIZE_ENCODED |
URL-encodes a string |
The filter_input()
function will return the filtered variable if the filtration or validation was successful, the Boolean FALSE
if the filter didn't apply to the data, or the value NULL
if the named variable didn't exist in the given input. Thus you have multiple levels of validation in just one step.
There's really a lot of information packed into just a few functions here, but I want to present a sample of how you would use the Filter library. To do so, I'll create a modified version of the registration form (Figure 4.4). Note that as of PHP 5.2, Filter is built into PHP. If you're using an earlier version, you may need to install it using the pecl installer (see the PHP manual for more).
Figure 4.4: This new registration form lacks the password and date of birth inputs.
[next]
URL: https://webreference.com.cach3.com/programming/php/php5-advanced2/index.html