在PHP中进行输入过滤?
[英]Input filtering in PHP?
问题描述
Is this link sufficent for example for input filtering form data? 
例如,此链接足以用于输入过滤表单数据吗? With a post for example? 以帖子为例?
<?php
$var=300;
$int_options = array(
"options"=>array
(
"min_range"=>0,
"max_range"=>256
)
);
if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?>
What is the most common kind of filtering? 什么是最常见的过滤? Like sanitizing strings and numbers. 像消毒字符串和数字。 I use preg_match for validation of email fields on the server side and regular expression checks in javascript. 我使用preg_match在服务器端验证电子邮件字段并在javascript中进行正则表达式检查。 I'm no validation nazi but would like to have some sort of filtering for the most common things. 我不是验证纳粹,但想对最常见的事物进行某种过滤。
These kind of things I think I could abstract away in my application with some public static functions in a class for example, like this 我想可以通过类中的一些公共静态函数在我的应用程序中抽象出这类东西,例如
Validate::String($str);
Validate::Interger($int);
What do you think about that? 您对此有何看法?
3 个解决方案
解决方案1
1 已采纳 2010-02-25 20:19:36
filter_var() is a good start. filter_var()是一个好的开始。 If you are planning on using these inputs in any type of SQL statement, you should look into properly sanitizing it for that, too. 如果打算在任何类型的SQL语句中使用这些输入,则也应该考虑对其进行适当的清理。
PDO with prepared statements, mysql_real_escape_string or any other db wrapper ( MBD2 , etc...) should provide this functionality for you. 具有准备好的语句的PDO , mysql_real_escape_string或任何其他数据库包装器( MBD2等)应为您提供此功能。
I guess the key idea here is that there is a difference between filtering and sanitizing data, and there are different levels of doing each. 我想这里的关键思想是过滤和清理数据之间存在区别,并且每种处理都有不同的级别。 It's very much a multi-part process. 这是一个多部分的过程。
For filtering, you could do a type check (is this an int?) and then validate that the input meets your criteria (is this int between 1 and 128?) 对于筛选,您可以进行类型检查(这是一个int吗?),然后验证输入是否符合您的条件(这个int在1到128之间?)
You'll also need to sanitize the data. 您还需要清理数据。 htmlspecialchars for output, some proper quoting and escaping for use in SQL. htmlspecialchars用于输出,在SQL中使用一些适当的引号和转义符。
解决方案2
0 2010-02-25 20:17:57
There is no common specification which say how to filter the user input. 没有通用的规范说明如何过滤用户输入。 But using the built in functions is a very good starting point. 但是,使用内置函数是一个很好的起点。
解决方案3
0 2010-02-25 20:32:29
Date filtering is pretty common. 日期过滤非常普遍。 For that I just use strtotime() and see if it comes out to a reasonable date (ie not 1969). 为此,我只使用strtotime()看看它是否出现在合理的日期(即不是1969年)。 Then the user can enter just about anything, including "+12 days". 然后,用户几乎可以输入任何内容,包括“ +12天”。
Passwords are common, but a unique case. 密码很常见,但情况却很独特。 You may not want to allow spaces, must be a min length, contains letters and numbers, etc. 您可能不想允许空格,必须为最小长度,包含字母和数字等。
Data elements like social security number, phone and zip code you can be simple, must be a certain length and contain only numbers (US). 数据元素(如社会安全号码,电话和邮政编码)可以很简单,必须具有一定的长度,并且仅包含数字(美国)。 Or make them robust, make sure they are a valid format and within the "used" ranges. 或者使它们健壮,请确保它们是有效格式,并且在“使用”范围内。 For example, a phone number can't start with 0. 例如,电话号码不能以0开头。
Ideally one validation would use another. 理想情况下,一个验证将使用另一个验证。 For example, zip code calling "only_digits" validation function first, then more detailed checking if valid. 例如,邮政编码首先调用“ only_digits”验证功能,然后更详细地检查是否有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.