PHP：是什么会导致FILTER_UNSAFE_RAW返回FALSE？

Question

After returning to a script from a long absence, I'm am stuck on a suddenly failing sanitization. 从久违的剧本中恢复过来后，我陷入了突然失败的清理过程。
I found the problem in a filter unexpectedly returning false . 我在意外返回false的过滤器中发现了问题。

Here's an example to replicate my unintended results: 这是一个复制我意外结果的示例：

$test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ];
var_export( filter_var( $test, FILTER_UNSAFE_RAW ));  // false

I thought that FILTER_UNSAFE_RAW is supposed to just return the input (an array in this case) unchanged. 我认为FILTER_UNSAFE_RAW应该只是返回输入（在这种情况下为数组）不变。
Am I wrong in my understanding/approach? 我的理解/方法是否错误？

NOTE: 注意：
My code has to be strictly self-reliant and as light-weight as possible, so rather than loading 3rd party libraries/classes, I'm just writing-in simple helper functions where needed. 我的代码必须严格自力更生，并且尽可能轻巧，因此，除了加载第三者库/类之外，我只是在需要的地方编写简单的帮助程序函数。

EXAMPLE: 例：

$filters = [
    'sanitize' => [ 
        'foo' => FILTER_SANITIZE_EMAIL,
        'bar' => FILTER_UNSAFE_RAW,
    ],
    'validate' => [
        'foo' => FILTER_VALIDATE_EMAIL,
        'bar' => [
            'filter' => FILTER_VALIDATE_REGEXP,
            'flags' => FILTER_REQUIRE_ARRAY,
            'options' => [ 'regexp' => '/(apple|grape)/' ],
        ],
    ],
];

$test = [
    'malicious' => 'something bad',
    'foo' => 'test@ema.il',
    'bar' => [ 'apple', 'grape', 'orange', ],
];

// validate
$checked = sanitizeInput( $filters, $test );

// sanitizer
function sanitizeInput( $f, $input )
{
    // sanitize
    $sanitized  = filter_var_array( $input, $f['sanitize'] )

    // validate
    $validated  = filter_var_array( $sanitized, $f['validate'] );

    // if anything appears to have failed validation (was set to FALSE)
    if( FALSE !== strpos( json_encode($validated), 'false' ))
    {
        ...

As you can see, this approach requires that bar passes sanitization, even though no sanitizing action is necessary. 如您所见，即使不需要采取任何消毒措施，此方法也要求bar通过消毒处理。

Am I misunderstanding FILTER_UNSAFE_RAW ? 我误会了FILTER_UNSAFE_RAW吗？

Answer 1

It returns false since filter_var() can't validate array. 由于filter_var()无法验证数组，因此它返回false。 And filter_var_array() is like running filter_var() to each subject array's value. filter_var_array()就像对每个主题数组的值运行filter_var()一样。 You can try to use array as bar 's value inside sanitize array, with FILTER_UNSAFE_RAW as filter and FILTER_REQUIRE_ARRAY as flags 您可以尝试使用数组作为sanitize数组中bar的值，以FILTER_UNSAFE_RAW作为过滤器，并以FILTER_REQUIRE_ARRAY作为标志

'sanitize' => [ 
    'foo' => FILTER_SANITIZE_EMAIL,
    'bar' =>  [
            'filter' => FILTER_UNSAFE_RAW,
            'flags'  => FILTER_REQUIRE_ARRAY
            ],
],

Another thing to note is since you only use FILTER_UNSAFE_RAW without specifying flags, it will just do nothing. 要注意的另一件事是，由于仅使用FILTER_UNSAFE_RAW而不指定标志，因此它什么也不会做。 So not sanitizing it is the same. 因此，不进行消毒是相同的。 Though it won't work on your case because it will not be passed to validation. 尽管它不适用于您的情况，因为它不会传递给验证。

Answer 2

Filter Flags is Missing 筛选器标志丢失

It looks like you have not added the proper flags for the sanitize part of the filter_var_array 看来您尚未为filter_var_array的sanitize部分添加适当的标志

Whenever you are processing an array, you have to include the flag FILTER_REQUIRE_ARRAY 每当处理数组时，都必须包含标志FILTER_REQUIRE_ARRAY

Hence without the flag, you were getting the response as false 因此，没有该标志，您得到的响应为false

Note: FILTER_UNSAFE_RAW just optionally strips or encodes special characters. 注意： FILTER_UNSAFE_RAW仅可选地FILTER_UNSAFE_RAW或编码特殊字符。 Also this is the default filter. 这也是默认过滤器。

Example 例

$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );

$san['bar'] = [
  'filter' => FILTER_UNSAFE_RAW,
  'flags'  => FILTER_REQUIRE_ARRAY
];

print_r(filter_var_array( $test, $san ));

Output 产量

Array
(
    [bar] => Array
        (
            [0] => apple
            [1] => bananna
            [2] => orange
            [3] => lime
            [4] => grape
        )

)

Edited Working Code 编辑后的工作代码

$filters = [
    'sanitize' => [ 
        'foo' => FILTER_SANITIZE_EMAIL,
        'bar' =>  [
            'filter' => FILTER_UNSAFE_RAW,
            'flags'  => FILTER_REQUIRE_ARRAY
        ],
    ],
    'validate' => [
        'foo' => FILTER_VALIDATE_EMAIL,
        'bar' => [
            'filter' => FILTER_VALIDATE_REGEXP,
            'flags' => FILTER_REQUIRE_ARRAY,
            'options' => [ 'regexp' => '/(apple|grape)/' ],
        ],
    ],
];

$test = [
    'malicious' => 'something bad',
    'foo' => 'test@ema.il',
    'bar' => [ 'apple', 'grape', 'orange', ],
];

// validate
$checked = sanitizeInput( $filters, $test );

// sanitizer
function sanitizeInput( $f, $input ) {

    // sanitize
    $sanitized  = filter_var_array( $input, $f['sanitize'] );

print_r($sanitized);

    // validate
    $validated  = filter_var_array( $sanitized, $f['validate'] );

    // if anything appears to have failed validation (was set to FALSE)
    if( FALSE !== strpos( json_encode($validated), 'false' )) {}

    return $validated;
}

PHP：是什么会导致FILTER_UNSAFE_RAW返回FALSE？

问题描述

2 个解决方案

解决方案1
1 2017-12-21 06:16:27

解决方案2
1 已采纳 2017-12-21 06:26:23

Filter Flags is Missing 筛选器标志丢失

PHP：是什么会导致FILTER_UNSAFE_RAW返回FALSE？

问题描述

2 个解决方案

解决方案1 1 2017-12-21 06:16:27

解决方案2 1 已采纳 2017-12-21 06:26:23

Filter Flags is Missing 筛选器标志丢失

解决方案1
1 2017-12-21 06:16:27

解决方案2
1 已采纳 2017-12-21 06:26:23