[英]PHP: what could cause FILTER_UNSAFE_RAW to return FALSE?
After returning to a script from a long absence, I'm am stuck on a suddenly failing sanitization. 从久违的剧本中恢复过来后,我陷入了突然失败的清理过程。
I found the problem in a filter unexpectedly returning false
. 我在意外返回
false
的过滤器中发现了问题。
Here's an example to replicate my unintended results: 这是一个复制我意外结果的示例:
$test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ];
var_export( filter_var( $test, FILTER_UNSAFE_RAW )); // false
I thought that FILTER_UNSAFE_RAW
is supposed to just return the input (an array in this case) unchanged. 我认为
FILTER_UNSAFE_RAW
应该只是返回输入(在这种情况下为数组)不变。
Am I wrong in my understanding/approach? 我的理解/方法是否错误?
NOTE: 注意:
My code has to be strictly self-reliant and as light-weight as possible, so rather than loading 3rd party libraries/classes, I'm just writing-in simple helper functions where needed. 我的代码必须严格自力更生,并且尽可能轻巧,因此,除了加载第三者库/类之外,我只是在需要的地方编写简单的帮助程序函数。
EXAMPLE: 例:
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => FILTER_UNSAFE_RAW,
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input )
{
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] )
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' ))
{
...
As you can see, this approach requires that bar
passes sanitization, even though no sanitizing action is necessary. 如您所见,即使不需要采取任何消毒措施,此方法也要求
bar
通过消毒处理。
Am I misunderstanding FILTER_UNSAFE_RAW
? 我误会了
FILTER_UNSAFE_RAW
吗?
It returns false since filter_var()
can't validate array. 由于
filter_var()
无法验证数组,因此它返回false。 And filter_var_array()
is like running filter_var()
to each subject array's value. filter_var_array()
就像对每个主题数组的值运行filter_var()
一样。 You can try to use array as bar
's value inside sanitize
array, with FILTER_UNSAFE_RAW
as filter and FILTER_REQUIRE_ARRAY
as flags 您可以尝试使用数组作为
sanitize
数组中bar
的值,以FILTER_UNSAFE_RAW
作为过滤器,并以FILTER_REQUIRE_ARRAY
作为标志
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
Another thing to note is since you only use FILTER_UNSAFE_RAW
without specifying flags, it will just do nothing. 要注意的另一件事是,由于仅使用
FILTER_UNSAFE_RAW
而不指定标志,因此它什么也不会做。 So not sanitizing it is the same. 因此,不进行消毒是相同的。 Though it won't work on your case because it will not be passed to validation.
尽管它不适用于您的情况,因为它不会传递给验证。
It looks like you have not added the proper flags for the sanitize part of the filter_var_array
看来您尚未为
filter_var_array
的sanitize部分添加适当的标志
Whenever you are processing an array, you have to include the flag FILTER_REQUIRE_ARRAY
每当处理数组时,都必须包含标志
FILTER_REQUIRE_ARRAY
Hence without the flag, you were getting the response as false
因此,没有该标志,您得到的响应为
false
Note: FILTER_UNSAFE_RAW
just optionally strips or encodes special characters. 注意:
FILTER_UNSAFE_RAW
仅可选地FILTER_UNSAFE_RAW
或编码特殊字符。 Also this is the default filter. 这也是默认过滤器。
Example 例
$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );
$san['bar'] = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
];
print_r(filter_var_array( $test, $san ));
Output 产量
Array
(
[bar] => Array
(
[0] => apple
[1] => bananna
[2] => orange
[3] => lime
[4] => grape
)
)
Edited Working Code 编辑后的工作代码
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input ) {
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] );
print_r($sanitized);
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' )) {}
return $validated;
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.