PHP 5 Advanced: Visual QuickPro Guide | 2

[next]

Security Techniques: Part 2

By Larry Ullman

[Excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman. Copyright © 2007. Used with permission of Pearson Education, Inc. and Peachpit Press.]

Using PECL Filter

New in PHP 5 and quite promising is the Filter library of PECL code. Being developed by PHP's creator and other major contributors, the future of Filter looks bright, even though it's still in beta form (at the time of this writing). The Filter package provides two types of security:

• Data validation by type
• Data sanitization

What Filter offers is a unified interface for performing common types of validation and sanitization. For example, I might commonly use code like this:

if (isset($_GET['id'])) { if (is_numeric($_GET['id'])) { $id = (int) $_GET['id']; if ($id > 0) { // Do whatever. } } }

I could instead do this:

$id = filter_input(INPUT_GET, 'id', FILTER_VALIDATE_INT, array('options'=>array('min_range'=>1))); if ($id) { ...

That might look like jabberwocky, but once you get the hang of Filter, the amount of work you can do in just a line of code will be worth the learning curve.

To filter individual variables, there are two functions you'll use: filter_input() and filter_var(). The first one is for working with variables coming from an outside source, like forms, cookies, sessions, and the server. The second is for variables within your own code. I'll focus on filter_input() here. Its syntax is:

$var = filter_input($variable_source, $variable_name, $filter, $options);

The sources, which the PHP manual calls "types," are: INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, INPUT_ENV, INPUT_SESSION, and INPUT_REQUEST. As you can probably guess, each of these corresponds to a global variable ($_GET, $_POST, etc.). For example, if a page receives data in the URL, you'd use INPUT_GET (not $_GET).

The second argument—the variable name—is the specific variable within the source that should be addressed. The $filter argument indicates the filter to apply, using the constants in Table 4.2. This argument is optional, as a default filter will be used if none is specified. Some filters also take options, like the FILTER_VALIDATE_INT in the preceding example (which can take a range).

Filters by Name

Table 4.2. These constants represent some of the filters that can be applied to data. For a complete list, see the PHP manual or invoke the filter_list() function.

Constant Name	Action
FILTER_VALIDATE_INT	Confirms an integer, optionally in a range
FILTER_VALIDATE_FLOAT	Confirms a float
FILTER_ VALIDATE_REGEXP	Matches a PCRE pattern
FILTER_ VALIDATE_URL	Matches a URL
FILTER_ VALIDATE_EMAIL	Matches an email address
FILTER_SANITIZE_STRING	Strips tags
FILTER_SANITIZE_ENCODED	URL-encodes a string

The filter_input() function will return the filtered variable if the filtration or validation was successful, the Boolean FALSE if the filter didn't apply to the data, or the value NULL if the named variable didn't exist in the given input. Thus you have multiple levels of validation in just one step.

There's really a lot of information packed into just a few functions here, but I want to present a sample of how you would use the Filter library. To do so, I'll create a modified version of the registration form (Figure 4.4). Note that as of PHP 5.2, Filter is built into PHP. If you're using an earlier version, you may need to install it using the pecl installer (see the PHP manual for more).

Figure 4.4: This new registration form lacks the password and date of birth inputs.

[next]

URL: