PHP Built-in String Validation Functions

22,224 views
21,886 views

Published on

A must for PHP Developers

Published in: Technology
1 Comment
10 Likes
Statistics
Notes
No Downloads
Views
Total views
22,224
On SlideShare
0
From Embeds
0
Number of Embeds
98
Actions
Shares
0
Downloads
260
Comments
1
Likes
10
Embeds 0
No embeds

No notes for slide

PHP Built-in String Validation Functions

  1. 1. PHP5 Built-in String Filter Functions For Your Application Security By d0ubl3_h3lix http://yehg.org April 2008
  2. 2. Agenda <ul><li>Why We Use? </li></ul><ul><li>Need to Know </li></ul><ul><li>Secure Practice </li></ul><ul><li>Validation Vs Sanization </li></ul><ul><li>PHP5 Built-in Filtering Functions </li></ul>
  3. 3. Why We Use? <ul><li>100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none </li></ul><ul><li>Be aware of inputs as well as outputs </li></ul><ul><li>You know Garbage In Garbage Out </li></ul><ul><li>For attackers, Garbage In Gold Out </li></ul>
  4. 4. Need to Know <ul><li>A lot more issues in filtering such as encoding issues </li></ul><ul><li>An attacker can send strings in different charset formats </li></ul><ul><li>Causes your visitors’ browser auto-detect and interpret the way the attacker wants </li></ul><ul><li>Reason: Application failed to convert this string to its intended charset since first stored in database </li></ul>
  5. 5. Secure Practice <ul><li>Always Convert Input/Output </li></ul><ul><li>to Intended Charset </li></ul><ul><li>Before </li></ul><ul><li>Intensive Filtering/Sanitization </li></ul>
  6. 6. Validation Vs Sanization <ul><li>Validation means the string format is exactly what you want </li></ul><ul><li>Validated String can't be assumed 'Secure' </li></ul><ul><li>Can't know if validated string might have malicious characters meaningful for various back-end systems </li></ul><ul><li>That's why, validated one needs to be sanitized! </li></ul>
  7. 7. <ul><li>PHP5 Built-in </li></ul><ul><li>String Filter </li></ul><ul><li>Functions </li></ul>
  8. 8. htmlspecialchars <ul><li>Description: Convert special characters to HTML entities </li></ul><ul><li>Usage: string htmlspecialchars ( string string [, int quote_style [, string charset ]] ) </li></ul>
  9. 9. Quote_Style <ul><li>ENT_COMPAT Will convert double-quotes and leave single-quotes alone. </li></ul><ul><li>ENT_QUOTES </li></ul><ul><li>Will convert both double and single quotes. </li></ul><ul><li>ENT_NOQUOTES </li></ul><ul><li>Will leave both double and single quotes unconverted. </li></ul>
  10. 10. Supported Charsets <ul><li>ISO-8859-1 </li></ul><ul><li>ISO-8859-15 </li></ul><ul><li>UTF-8 </li></ul><ul><li>cp866 (ibm866, 866) </li></ul><ul><li>cp1251 (Windows-1251, win-1251, 1251) </li></ul><ul><li>cp1252 (Windows-1252, 1252) </li></ul><ul><li>KOI8-R (koi8-ru, koi8r) </li></ul><ul><li>BIG5 </li></ul><ul><li>GB2312 </li></ul><ul><li>BIG5-HKSCS </li></ul><ul><li>Shift_JIS </li></ul><ul><li>EUC-JP </li></ul>
  11. 11. <ul><li>Not Secure: </li></ul><ul><li>htmlspecialchars($untrusted_input); </li></ul><ul><li>Relatively Secure: </li></ul><ul><li>htmlspecialchars($untrusted_input, ENT_QUOTES, </li></ul><ul><li>&quot; UTF-8 &quot; ); </li></ul>Example
  12. 12. htmlentities <ul><li>Description: Convert all applicable characters to HTML entities </li></ul><ul><li>Usage: string htmlentities ( string string [, int quote_style [, string charset ]] ) </li></ul>
  13. 13. Example <ul><li>Not Secure: </li></ul><ul><li>htmlentities($untrusted_input); </li></ul><ul><li>Relatively Secure: </li></ul><ul><li>htmlentities($untrusted_input, ENT_QUOTES, </li></ul><ul><li>&quot; UTF-8 &quot; ); </li></ul>
  14. 14. htmlspecialchars vs htmlentities <ul><li>htmlentities() converts every char to html applicable chars while htmlspecialchars() converts only: </li></ul><ul><li>& => &amp; </li></ul><ul><ul><ul><li>&quot; => &quot; </li></ul></ul></ul><ul><ul><ul><li>' => ' </li></ul></ul></ul><ul><ul><ul><li>< => &lt; </li></ul></ul></ul><ul><ul><ul><li>> => &gt; </li></ul></ul></ul>
  15. 16. <ul><li>Description: Strip HTML and PHP tags from a string </li></ul><ul><li>Usage: string strip_tags ( string str [, string allowable_tags ] ) </li></ul>strip_tags
  16. 17. <ul><li>// Return  Hello Admin!alert('0wned u'); </li></ul><ul><li>strip_tags(&quot;<b>Hello Admin!</b><script>alert('0wned u');</script>&quot;); </li></ul><ul><li>// Return  <b>Hello Admin!</b> Nice </li></ul><ul><li>strip_tags(&quot;<b>bold</b> <i>Nice</i>&quot; </li></ul><ul><li>, &quot;<b>&quot;); </li></ul>Example: Stripping HTML
  17. 18. <ul><li>// Return  Hello Admin! </li></ul><ul><li>strip_tags(&quot;Hello Admin!<?php /*attacker's shellcode/backdoor script*/?>&quot;); </li></ul><ul><li>It's commonly embedded in images and some binary-like files </li></ul>Example: Stripping PHP
  18. 20. escapeshellcmd <ul><li>Description: Escape shell metacharacters - #&;`|*?~<>^()[]{}$, x0A and xFF </li></ul><ul><li>Usage: string escapeshellcmd ( string command ) </li></ul>
  19. 21. <ul><li>$input = &quot;solution & whoami &&quot; </li></ul><ul><li>escapeshellcmd(&quot;process $input&quot;); </li></ul><ul><li>// Process  solution whoami </li></ul><ul><li>// Escape  & </li></ul>Example
  20. 23. <ul><li>Description: Escapes special characters in a string for use in a SQL statement ; First need to open database connection </li></ul><ul><li>Usage: string mysql_real_escape_string ( string unescaped_string [, resource link_identifier] ) </li></ul>mysql_real_escape_string
  21. 24. mysql_escape_string <ul><li>Description: Escapes a string for use in a mysql_query ; First need to open database connection </li></ul><ul><li>Usage: string mysql_escape_string ( string unescaped_string ) </li></ul>
  22. 26. is_* Functions <ul><li>To Check whether a variable is desired </li></ul><ul><li>Type: </li></ul><ul><li>is_array  -- Whether a variable is an array </li></ul><ul><li>is_binary  --  Whether a variable is a native binary string </li></ul><ul><li>is_bool  --  Whether a variable is a boolean </li></ul><ul><li>is_buffer  -- Whether a variable is a native unicode or binary string </li></ul><ul><li>is_callable  --  Verify that the contents of a variable can be called as a function </li></ul><ul><li>is_double  -- Alias of is_float() </li></ul>
  23. 27. is_* Functions <ul><li>is_float  -- Whether a variable is a float </li></ul><ul><li>is_int  -- Whether a variable is an integer </li></ul><ul><li>is_integer  -- Alias of is_int() </li></ul><ul><li>is_long  -- Alias of is_int() </li></ul><ul><li>is_null  --  Whether a variable is NULL </li></ul><ul><li>is_numeric  --  Whether a variable is a number or a numeric string </li></ul><ul><li>is_object  -- Whether a variable is an object </li></ul><ul><li>is_real  -- Alias of is_float() </li></ul><ul><li>is_resource  --  Whether a variable is a resource </li></ul><ul><li>is_scalar  --  Whether a variable is a scalar </li></ul><ul><li>is_string  -- Whether a variable is a string </li></ul><ul><li>is_unicode  -- Whether a variable is a unicode string </li></ul>
  24. 28. Good Practice With is_* <ul><li>For example: </li></ul><ul><li>$start = (isset($_GET['num']) && is_numeric($_GET['num']))? </li></ul><ul><li>(int)$_GET['num']:die(&quot;Hacking Attempt!&quot;); </li></ul>
  25. 30. filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists </li></ul><ul><li>filter_id  -- Returns the filter ID belonging to a named filter </li></ul><ul><li>filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>filter_input  -- Gets variable from outside PHP and optionally filters it </li></ul><ul><li>filter_list  -- Returns a list of all supported filters </li></ul><ul><li>filter_var_array  -- Gets multiple variables and optionally filters them </li></ul><ul><li>filter_var   -- Filters a variable with a specified filter </li></ul>
  26. 31. Filterable Types <ul><li>INPUT_POST ( integer ) </li></ul><ul><ul><li>POST variables. </li></ul></ul><ul><li>INPUT_GET ( integer ) </li></ul><ul><ul><li>GET variables. </li></ul></ul><ul><li>INPUT_COOKIE ( integer ) </li></ul><ul><ul><li>COOKIE variables. </li></ul></ul><ul><li>INPUT_ENV ( integer ) </li></ul><ul><ul><li>ENV variables. </li></ul></ul><ul><li>INPUT_SERVER ( integer ) </li></ul><ul><ul><li>SERVER variables. </li></ul></ul><ul><li>INPUT_SESSION ( integer ) </li></ul><ul><ul><li>SESSION variables. (not implemented yet in Php5) </li></ul></ul><ul><li>INPUT_REQUEST ( integer ) </li></ul><ul><ul><li>REQUEST variables. (not implemented yet in Php5) </li></ul></ul>
  27. 32. Filter Options <ul><li>FILTER_FLAG_NONE ( integer ) </li></ul><ul><ul><li>No flags. </li></ul></ul><ul><li>FILTER_REQUIRE_SCALAR ( integer ) </li></ul><ul><ul><li>Flag used to require scalar as input Scalar variables are those containing an integer, float, string or boolean. Types array, object and resource are not scalar. </li></ul></ul>
  28. 33. Filter Options <ul><li>FILTER_REQUIRE_ARRAY ( integer ) </li></ul><ul><ul><li>Require an array as input. </li></ul></ul><ul><li>FILTER_FORCE_ARRAY ( integer ) </li></ul><ul><ul><li>Always returns an array. </li></ul></ul><ul><li>FILTER_NULL_ON_FAILURE ( integer ) </li></ul><ul><ul><li>Use NULL instead of FALSE on failure. </li></ul></ul>
  29. 34. Filter Options <ul><li>FILTER_VALIDATE_INT ( integer ) </li></ul><ul><ul><li>ID of &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_BOOLEAN ( integer ) </li></ul><ul><ul><li>ID of &quot;boolean&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_FLOAT ( integer ) </li></ul><ul><ul><li>ID of &quot;float&quot; filter. </li></ul></ul>
  30. 35. Filter Options <ul><li>FILTER_VALIDATE_REGEXP ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_regexp&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_URL ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_EMAIL ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_email&quot; filter. </li></ul></ul>
  31. 36. Filter Options <ul><li>FILTER_VALIDATE_IP ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_DEFAULT ( integer ) </li></ul><ul><ul><li>ID of default (&quot;string&quot;) filter. </li></ul></ul><ul><li>FILTER_UNSAFE_RAW ( integer ) </li></ul><ul><ul><li>ID of &quot;unsafe_raw&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_STRING ( integer ) </li></ul><ul><ul><li>ID of &quot;string&quot; filter. </li></ul></ul>
  32. 37. Filter Options <ul><li>FILTER_SANITIZE_STRIPPED ( integer ) </li></ul><ul><ul><li>ID of &quot;stripped&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_ENCODED ( integer ) </li></ul><ul><ul><li>ID of &quot;encoded&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_SPECIAL_CHARS ( integer ) </li></ul><ul><ul><li>ID of &quot;special_chars&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_EMAIL ( integer ) </li></ul><ul><ul><li>ID of &quot;email&quot; filter. </li></ul></ul>
  33. 38. Filter Options <ul><li>FILTER_SANITIZE_URL ( integer ) </li></ul><ul><ul><li>ID of &quot;url&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_NUMBER_INT ( integer ) </li></ul><ul><ul><li>ID of &quot;number_int&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_NUMBER_FLOAT ( integer ) </li></ul><ul><ul><li>ID of &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_MAGIC_QUOTES ( integer ) </li></ul><ul><ul><li>ID of &quot;magic_quotes&quot; filter. </li></ul></ul>
  34. 39. Filter Options <ul><li>FILTER_CALLBACK ( integer ) </li></ul><ul><ul><li>ID of &quot;callback&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_OCTAL ( integer ) </li></ul><ul><ul><li>Allow octal notation (0[0-7]+) in &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_HEX ( integer ) </li></ul><ul><ul><li>Allow hex notation (0x[0-9a-fA-F]+) in &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_STRIP_LOW ( integer ) </li></ul><ul><ul><li>Strip characters with ASCII value less than 32. </li></ul></ul>
  35. 40. Filter Options <ul><li>FILTER_FLAG_STRIP_HIGH ( integer ) </li></ul><ul><ul><li>Strip characters with ASCII value greater than 127. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_LOW ( integer ) </li></ul><ul><ul><li>Encode characters with ASCII value less than 32. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_HIGH ( integer ) </li></ul><ul><ul><li>Encode characters with ASCII value greater than 127. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_AMP ( integer ) </li></ul><ul><ul><li>Encode &. </li></ul></ul>
  36. 41. Filter Options <ul><li>FILTER_FLAG_NO_ENCODE_QUOTES ( integer ) </li></ul><ul><ul><li>Don't encode ' and &quot;. </li></ul></ul><ul><li>FILTER_FLAG_EMPTY_STRING_NULL ( integer ) </li></ul><ul><ul><li>(No use for now.) </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_FRACTION ( integer ) </li></ul><ul><ul><li>Allow fractional part in &quot;number_float&quot; filter. </li></ul></ul>
  37. 42. Filter Options <ul><li>FILTER_FLAG_ALLOW_THOUSAND ( integer ) </li></ul><ul><ul><li>Allow thousand separator (,) in &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_SCIENTIFIC ( integer ) </li></ul><ul><ul><li>Allow scientific notation (e, E) in &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_SCHEME_REQUIRED ( integer ) </li></ul><ul><ul><li>Require scheme in &quot;validate_url&quot; filter. </li></ul></ul>
  38. 43. Filter Options <ul><li>FILTER_FLAG_HOST_REQUIRED ( integer ) </li></ul><ul><ul><li>Require host in &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_PATH_REQUIRED ( integer ) </li></ul><ul><ul><li>Require path in &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_QUERY_REQUIRED ( integer ) </li></ul><ul><ul><li>Require query in &quot;validate_url&quot; filter. </li></ul></ul>
  39. 44. Filter Options <ul><li>FILTER_FLAG_IPV4 ( integer ) </li></ul><ul><ul><li>Allow only IPv4 address in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_IPV6 ( integer ) </li></ul><ul><ul><li>Allow only IPv6 address in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_NO_RES_RANGE ( integer ) </li></ul><ul><ul><li>Deny reserved addresses in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_NO_PRIV_RANGE ( integer ) </li></ul><ul><ul><li>Deny private addresses in &quot;validate_ip&quot; filter. </li></ul></ul>
  40. 45. Filter Definitions <ul><li>ID: FILTER_VALIDATE_INT </li></ul><ul><li>Options: min_range, max_range </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_OCTAL , FILTER_FLAG_ALLOW_HEX </li></ul><ul><li>Description: Validates value as integer, optionally from the specified range. </li></ul>
  41. 46. Filter Definitions <ul><li>ID: FILTER_VALIDATE_BOOLEAN </li></ul><ul><li>Flags: FILTER_NULL_ON_FAILURE </li></ul><ul><li>Description: Returns TRUE for &quot;1&quot;, &quot;true&quot;, &quot;on&quot; and &quot;yes&quot;, FALSE for &quot;0&quot;, &quot;false&quot;, &quot;off&quot;, &quot;no&quot;, and &quot;&quot;, NULL otherwise. </li></ul>
  42. 47. Filter Definitions <ul><li>ID: FILTER_VALIDATE_FLOAT </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_THOUSAND </li></ul><ul><li>Description: Validates value as float. </li></ul>
  43. 48. Filter Definitions <ul><li>ID: FILTER_VALIDATE_REGEXP </li></ul><ul><li>Options: regexp </li></ul><ul><li>Description: Validates value against regexp, a Perl-compatible regular expression. </li></ul>
  44. 49. Filter Definitions <ul><li>ID: FILTER_VALIDATE_URL </li></ul><ul><li>Flags: FILTER_FLAG_PATH_REQUIRED , FILTER_FLAG_QUERY_REQUIRED </li></ul><ul><li>Description: Validates value as URL, optionally with required components. </li></ul>
  45. 50. Filter Definitions <ul><li>ID: FILTER_VALIDATE_EMAIL </li></ul><ul><li>Description: Validates value as e-mail. </li></ul>
  46. 51. Filter Definitions <ul><li>ID: FILTER_VALIDATE_IP </li></ul><ul><li>Flags: FILTER_FLAG_IPV4 , FILTER_FLAG_IPV6 , FILTER_FLAG_NO_PRIV_RANGE , FILTER_FLAG_NO_RES_RANGE </li></ul><ul><li>Description: Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges. </li></ul>
  47. 52. Filter Definitions <ul><li>ID: FILTER_SANITIZE_STRING </li></ul><ul><li>Flags: FILTER_FLAG_NO_ENCODE_QUOTES , FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP </li></ul><ul><li>Description: Strip tags, optionally strip or encode special characters. </li></ul>
  48. 53. Filter Definitions <ul><li>ID: FILTER_SANITIZE_STRIPPED </li></ul><ul><li>Alias of FILTER_SANITIZE_STRING . </li></ul>
  49. 54. Filter Definitions <ul><li>ID: FILTER_SANITIZE_ENCODED </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH </li></ul><ul><li>Description: URL-encode string, optionally strip or encode special characters . </li></ul>
  50. 55. Filter Definitions <ul><li>ID: FILTER_SANITIZE_SPECIAL_CHARS </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_HIGH </li></ul><ul><li>Description: HTML-escape '&quot;<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. </li></ul>
  51. 56. Filter Definitions <ul><li>ID: FILTER_UNSAFE_RAW </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP </li></ul><ul><li>Description: Do nothing, optionally strip or encode special characters. </li></ul>
  52. 57. Filter Definitions <ul><li>ID: FILTER_SANITIZE_EMAIL </li></ul><ul><li>Description: Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[]. </li></ul>
  53. 58. Filter Definitions <ul><li>ID: FILTER_SANITIZE_URL </li></ul><ul><li>Description: Remove all characters except letters, digits and $-_.+!*'(),{}|~[]`<>#%&quot;;/?:@&=. </li></ul>
  54. 59. Filter Definitions <ul><li>ID: FILTER_SANITIZE_NUMBER_INT </li></ul><ul><li>Description: Remove all characters except digits and +-. </li></ul>
  55. 60. Filter Definitions <ul><li>ID: FILTER_SANITIZE_NUMBER_FLOAT </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_FRACTION , FILTER_FLAG_ALLOW_THOUSAND , FILTER_FLAG_ALLOW_SCIENTIFIC </li></ul><ul><li>Description: Remove all characters except digits, +- and optionally .,eE. </li></ul>
  56. 61. Filter Definitions <ul><li>ID: FILTER_SANITIZE_MAGIC_QUOTES </li></ul><ul><li>Description: Apply addslashes() . </li></ul>
  57. 62. Filter Definitions <ul><li>ID: FILTER_CALLBACK </li></ul><ul><li>Options: callback function or method </li></ul><ul><li>Description: Call user-defined function to filter data. </li></ul>
  58. 64. Remind: filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists </li></ul><ul><li>filter_id  -- Returns the filter ID belonging to a named filter </li></ul><ul><li>filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>filter_input  -- Gets variable from outside PHP and optionally filters it </li></ul><ul><li>filter_list  -- Returns a list of all supported filters </li></ul><ul><li>filter_var_array  -- Gets multiple variables and optionally filters them </li></ul><ul><li>filter_var   -- Filters a variable with a specified filter </li></ul>
  59. 65. <ul><li>Description: Checks if variable of specified type exists </li></ul><ul><li>Usage: bool filter_has_var ( int type , string variable_name ) </li></ul>filter_has_var
  60. 66. Example <ul><li>filter_has_var(INPUT_GET,'searchstr'); </li></ul><ul><li>is equivalent to </li></ul><ul><li>isset($_GET['searchstr']) </li></ul>
  61. 67. <ul><li>Description: Returns the filter ID belonging to a named filter </li></ul><ul><li>Usage: int filter_id ( string filtername ) </li></ul>filter_id
  62. 68. <ul><li>Description: Returns a list of all supported filters </li></ul><ul><li>Usage: array filter_list ( void ) </li></ul>filter_list
  63. 69. <ul><li>Description: Gets variable from outside PHP and optionally filters it </li></ul><ul><li>Usage: mixed filter_input ( int type, string variable_name [, int filter [, mixed options ]] ) </li></ul>filter_input
  64. 70. <ul><li>filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_input (INPUT_GET, 'number',FILTER_VALIDATE_INT, </li></ul><ul><li>array( </li></ul><ul><li>'flags' => FILTER_FLAG_ARRAY, </li></ul><ul><li>'options' => array('min_range' => 1, 'max_range' => 10) </li></ul><ul><li>) </li></ul><ul><li> ); </li></ul>Example
  65. 71. <ul><li>Description: Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>Usage: mixed filter_input_array ( int type [, mixed definition] ) </li></ul>filter_input_array
  66. 72. <ul><li>/* Let's say: data come from POST as follows:*/ $_POST = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com'); </li></ul>Example
  67. 73. <ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL, </li></ul><ul><li>'visitor_url'     => FILTER_VALIDATE_URL ); </li></ul>Example
  68. 74. <ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>INPUT_POST,  $visitor_sanitized_rules </li></ul><ul><li>); </li></ul>Example
  69. 75. No Real Difference! <ul><li> filter_input(_array) </li></ul><ul><li> Vs </li></ul><ul><li>filter_var(_array) </li></ul><ul><li>are totally same. </li></ul>
  70. 76. <ul><li>Description: Filters a variable with a specified filter </li></ul><ul><li>Usage: mixed filter_var ( mixed variable [, int filter [, mixed options]] ) </li></ul>filter_var
  71. 77. <ul><li>filter_var($_POST['visitor_name'], FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_var($_POST['visitor_email'], FILTER_VALIDATE_EMAIL); </li></ul><ul><li>filter_var($_POST['visitor_url'], FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED); </li></ul>Example
  72. 78. <ul><li>Description: Gets multiple variables and optionally filters them </li></ul><ul><li>Usage: mixed filter_var_array ( array data [, mixed definition] ) </li></ul>filter_var_array
  73. 79. <ul><li>/* Same as before. No big difference:*/ $visitor_data  = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com'); </li></ul>Example
  74. 80. <ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL, </li></ul><ul><li>'visitor_url'     => FILTER_VALIDATE_URL ); </li></ul>Example
  75. 81. <ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>$visitor_data ,  $visitor_sanitized_rules </li></ul><ul><li>); </li></ul>Example
  76. 82. <ul><li>Last But Not Least, </li></ul><ul><li>Did you notice two things lack in Filter_* Functions ? </li></ul>
  77. 83. First .. <ul><li>Have to filter twice for some cases like: </li></ul><ul><li>$email = $_GET['email']; </li></ul><ul><li>$email = </li></ul><ul><li>filter_var($email,FILTER_VALIDATE_EMAIL); </li></ul><ul><li>$email = </li></ul><ul><li>filter_var($email,FILTER_SANITIZE_EMAIL); </li></ul>
  78. 84. Second … <ul><li>No Charset Conversion </li></ul><ul><li>Functions! </li></ul><ul><li>Do-It-Yourself Exercise!  </li></ul>
  79. 85. <ul><li>Thank You! </li></ul>
  80. 86. Reference <ul><li>PHP 5.25 Manual </li></ul>

×