PHP Built-in String Validation Functions
-
Upload
aung-khant -
Category
Technology
-
view
22.445 -
download
0
Transcript of PHP Built-in String Validation Functions
![Page 1: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/1.jpg)
PHP5 Built-in String Filter Functions
For Your Application Security
Byd0ubl3_h3lix
http://yehg.orgApril 2008
![Page 2: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/2.jpg)
Agenda
• Why We Use?• Need to Know• Secure Practice• Validation Vs Sanization• PHP5 Built-in Filtering Functions
![Page 3: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/3.jpg)
Why We Use?
• 100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none
• Be aware of inputs as well as outputs • You know Garbage In Garbage Out • For attackers, Garbage In Gold Out
![Page 4: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/4.jpg)
Need to Know• A lot more issues in filtering such as
encoding issues• An attacker can send strings in different
charset formats• Causes your visitors’ browser auto-detect
and interpret the way the attacker wants• Reason: Application failed to convert this
string to its intended charset since first stored in database
![Page 5: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/5.jpg)
Secure Practice
Always Convert Input/Output
to Intended Charset BeforeIntensive
Filtering/Sanitization
![Page 6: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/6.jpg)
Validation Vs Sanization
• Validation means the string format is exactly what you want
• Validated String can't be assumed 'Secure'
• Can't know if validated string might have malicious characters meaningful for various back-end systems
• That's why, validated one needs to be sanitized!
![Page 7: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/7.jpg)
PHP5 Built-inString FilterFunctions
![Page 8: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/8.jpg)
htmlspecialchars • Description: Convert special characters
to HTML entities • Usage:
string htmlspecialchars ( string string [, int quote_style [, string charset]] )
![Page 9: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/9.jpg)
Quote_StyleENT_COMPAT
Will convert double-quotes and leave single-quotes alone.
ENT_QUOTES Will convert both double and single
quotes.ENT_NOQUOTES Will leave both double and single quotes
unconverted.
![Page 10: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/10.jpg)
Supported Charsets• ISO-8859-1 • ISO-8859-15 • UTF-8 • cp866 (ibm866, 866)• cp1251 (Windows-1251, win-1251, 1251)• cp1252 (Windows-1252, 1252)• KOI8-R (koi8-ru, koi8r)• BIG5 • GB2312 • BIG5-HKSCS • Shift_JIS • EUC-JP
![Page 11: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/11.jpg)
Not Secure: htmlspecialchars($untrusted_input);
Relatively Secure: htmlspecialchars($untrusted_input,
ENT_QUOTES,"UTF-8");
Example
![Page 12: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/12.jpg)
htmlentities• Description: Convert all applicable
characters to HTML entities • Usage:
string htmlentities ( string string [, int quote_style [, string charset]] )
![Page 13: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/13.jpg)
ExampleNot Secure: htmlentities($untrusted_input);
Relatively Secure: htmlentities($untrusted_input,
ENT_QUOTES,"UTF-8");
![Page 14: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/14.jpg)
htmlspecialchars vs htmlentities
• htmlentities() converts every char to html applicable chars while htmlspecialchars() converts only:
& => &" => "' => '< => < > => >
![Page 15: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/15.jpg)
![Page 16: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/16.jpg)
• Description: Strip HTML and PHP tags from a string
• Usage:
string strip_tags ( string str [, string allowable_tags] )
strip_tags
![Page 17: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/17.jpg)
// Return Hello Admin!alert('0wned u');strip_tags("<b>Hello
Admin!</b><script>alert('0wned u');</script>");
// Return <b>Hello Admin!</b> Nicestrip_tags("<b>bold</b> <i>Nice</i>" , "<b>");
Example: Stripping HTML
![Page 18: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/18.jpg)
// Return Hello Admin!
strip_tags("Hello Admin!<?php /*attacker's shellcode/backdoor script*/?>");
It's commonly embedded in images and some binary-like files
Example: Stripping PHP
![Page 19: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/19.jpg)
![Page 20: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/20.jpg)
escapeshellcmd• Description: Escape shell
metacharacters - #&;`|*?~<>^()[]{}$\, \x0A and \xFF
• Usage:
string escapeshellcmd ( string command )
![Page 21: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/21.jpg)
$input = "solution & whoami &"escapeshellcmd("process $input");
// Process solution whoami// Escape &
Example
![Page 22: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/22.jpg)
![Page 23: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/23.jpg)
• Description: Escapes special characters in a string for use in a SQL statement ; First need to open database connection
• Usage:
string mysql_real_escape_string ( string unescaped_string [, resource link_identifier] )
mysql_real_escape_string
![Page 24: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/24.jpg)
mysql_escape_string • Description: Escapes a string for use in
a mysql_query ; First need to open database connection
• Usage:
string mysql_escape_string ( string unescaped_string )
![Page 25: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/25.jpg)
![Page 26: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/26.jpg)
is_* FunctionsTo Check whether a variable is desiredType:• is_array -- Whether a variable is an array • is_binary -- Whether a variable is a native
binary string • is_bool -- Whether a variable is a boolean • is_buffer -- Whether a variable is a native
unicode or binary string • is_callable -- Verify that the contents of a
variable can be called as a function • is_double -- Alias of is_float()
![Page 27: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/27.jpg)
is_* Functions• is_float -- Whether a variable is a float • is_int -- Whether a variable is an integer • is_integer -- Alias of is_int() • is_long -- Alias of is_int() • is_null -- Whether a variable is NULL • is_numeric -- Whether a variable is a number or a
numeric string • is_object -- Whether a variable is an object • is_real -- Alias of is_float() • is_resource -- Whether a variable is a resource • is_scalar -- Whether a variable is a scalar • is_string -- Whether a variable is a string • is_unicode -- Whether a variable is a unicode string
![Page 28: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/28.jpg)
Good Practice With is_*
For example:
$start = (isset($_GET['num']) && is_numeric($_GET['num']))?(int)$_GET['num']:die("Hacking Attempt!");
![Page 29: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/29.jpg)
![Page 30: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/30.jpg)
filter_* Functions• filter_has_var -- Checks if variable of specified type
exists • filter_id -- Returns the filter ID belonging to a named
filter • filter_input_array -- Gets multiple variables from outside
PHP and optionally filters them • filter_input -- Gets variable from outside PHP and
optionally filters it • filter_list -- Returns a list of all supported filters • filter_var_array -- Gets multiple variables and optionally
filters them • filter_var -- Filters a variable with a specified filter
![Page 31: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/31.jpg)
Filterable Types• INPUT_POST (integer)
– POST variables. • INPUT_GET (integer)
– GET variables. • INPUT_COOKIE (integer)
– COOKIE variables. • INPUT_ENV (integer)
– ENV variables. • INPUT_SERVER (integer)
– SERVER variables. • INPUT_SESSION (integer)
– SESSION variables. (not implemented yet in Php5) • INPUT_REQUEST (integer)
– REQUEST variables. (not implemented yet in Php5)
![Page 32: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/32.jpg)
Filter Options
• FILTER_FLAG_NONE (integer) – No flags.
• FILTER_REQUIRE_SCALAR (integer) – Flag used to require scalar as input
Scalar variables are those containing an integer, float, string or boolean. Types array, object and resource are not scalar.
![Page 33: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/33.jpg)
Filter Options
• FILTER_REQUIRE_ARRAY (integer) – Require an array as input.
• FILTER_FORCE_ARRAY (integer) – Always returns an array.
• FILTER_NULL_ON_FAILURE (integer) – Use NULL instead of FALSE on failure.
![Page 34: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/34.jpg)
Filter Options
• FILTER_VALIDATE_INT (integer) – ID of "int" filter.
• FILTER_VALIDATE_BOOLEAN (integer) – ID of "boolean" filter.
• FILTER_VALIDATE_FLOAT (integer) – ID of "float" filter.
![Page 35: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/35.jpg)
Filter Options
• FILTER_VALIDATE_REGEXP (integer) – ID of "validate_regexp" filter.
• FILTER_VALIDATE_URL (integer) – ID of "validate_url" filter.
• FILTER_VALIDATE_EMAIL (integer) – ID of "validate_email" filter.
![Page 36: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/36.jpg)
Filter Options
• FILTER_VALIDATE_IP (integer) – ID of "validate_ip" filter.
• FILTER_DEFAULT (integer) – ID of default ("string") filter.
• FILTER_UNSAFE_RAW (integer) – ID of "unsafe_raw" filter.
• FILTER_SANITIZE_STRING (integer) – ID of "string" filter.
![Page 37: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/37.jpg)
Filter Options• FILTER_SANITIZE_STRIPPED (integer)
– ID of "stripped" filter. • FILTER_SANITIZE_ENCODED (integer)
– ID of "encoded" filter. • FILTER_SANITIZE_SPECIAL_CHARS
(integer) – ID of "special_chars" filter.
• FILTER_SANITIZE_EMAIL (integer) – ID of "email" filter.
![Page 38: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/38.jpg)
Filter Options• FILTER_SANITIZE_URL (integer)
– ID of "url" filter. • FILTER_SANITIZE_NUMBER_INT (integer)
– ID of "number_int" filter. • FILTER_SANITIZE_NUMBER_FLOAT
(integer) – ID of "number_float" filter.
• FILTER_SANITIZE_MAGIC_QUOTES (integer) – ID of "magic_quotes" filter.
![Page 39: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/39.jpg)
Filter Options• FILTER_CALLBACK (integer)
– ID of "callback" filter. • FILTER_FLAG_ALLOW_OCTAL (integer)
– Allow octal notation (0[0-7]+) in "int" filter. • FILTER_FLAG_ALLOW_HEX (integer)
– Allow hex notation (0x[0-9a-fA-F]+) in "int" filter.
• FILTER_FLAG_STRIP_LOW (integer) – Strip characters with ASCII value less than 32.
![Page 40: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/40.jpg)
Filter Options• FILTER_FLAG_STRIP_HIGH (integer)
– Strip characters with ASCII value greater than 127.
• FILTER_FLAG_ENCODE_LOW (integer) – Encode characters with ASCII value less than
32. • FILTER_FLAG_ENCODE_HIGH (integer)
– Encode characters with ASCII value greater than 127.
• FILTER_FLAG_ENCODE_AMP (integer) – Encode &.
![Page 41: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/41.jpg)
Filter Options• FILTER_FLAG_NO_ENCODE_QUOTES
(integer) – Don't encode ' and ".
• FILTER_FLAG_EMPTY_STRING_NULL (integer) – (No use for now.)
• FILTER_FLAG_ALLOW_FRACTION (integer) – Allow fractional part in "number_float" filter.
![Page 42: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/42.jpg)
Filter Options• FILTER_FLAG_ALLOW_THOUSAND
(integer) – Allow thousand separator (,) in "number_float"
filter. • FILTER_FLAG_ALLOW_SCIENTIFIC
(integer) – Allow scientific notation (e, E) in "number_float"
filter. • FILTER_FLAG_SCHEME_REQUIRED
(integer) – Require scheme in "validate_url" filter.
![Page 43: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/43.jpg)
Filter Options• FILTER_FLAG_HOST_REQUIRED
(integer) – Require host in "validate_url" filter.
• FILTER_FLAG_PATH_REQUIRED (integer) – Require path in "validate_url" filter.
• FILTER_FLAG_QUERY_REQUIRED (integer) – Require query in "validate_url" filter.
![Page 44: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/44.jpg)
Filter Options• FILTER_FLAG_IPV4 (integer)
– Allow only IPv4 address in "validate_ip" filter. • FILTER_FLAG_IPV6 (integer)
– Allow only IPv6 address in "validate_ip" filter. • FILTER_FLAG_NO_RES_RANGE (integer)
– Deny reserved addresses in "validate_ip" filter. • FILTER_FLAG_NO_PRIV_RANGE (integer)
– Deny private addresses in "validate_ip" filter.
![Page 45: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/45.jpg)
Filter Definitions
• ID: FILTER_VALIDATE_INT • Options: min_range, max_range • Flags:
FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX
• Description:Validates value as integer, optionally from the specified range.
![Page 46: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/46.jpg)
Filter Definitions
• ID: FILTER_VALIDATE_BOOLEAN • Flags:
FILTER_NULL_ON_FAILURE • Description:
Returns TRUE for "1", "true", "on" and "yes", FALSE for "0", "false", "off", "no", and "", NULL otherwise.
![Page 47: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/47.jpg)
Filter Definitions
• ID: FILTER_VALIDATE_FLOAT • Flags:
FILTER_FLAG_ALLOW_THOUSAND • Description:
Validates value as float.
![Page 48: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/48.jpg)
Filter Definitions
• ID: FILTER_VALIDATE_REGEXP
• Options: regexp
• Description:
Validates value against regexp, a Perl-compatible regular expression.
![Page 49: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/49.jpg)
Filter Definitions• ID: FILTER_VALIDATE_URL • Flags:
FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED
• Description:Validates value as URL, optionally with required components.
![Page 50: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/50.jpg)
Filter Definitions
• ID: FILTER_VALIDATE_EMAIL
• Description:
Validates value as e-mail.
![Page 51: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/51.jpg)
Filter Definitions• ID: FILTER_VALIDATE_IP • Flags:
FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE
• Description:Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
![Page 52: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/52.jpg)
Filter Definitions• ID: FILTER_SANITIZE_STRING • Flags:
FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP
• Description:Strip tags, optionally strip or encode special characters.
![Page 53: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/53.jpg)
Filter Definitions
• ID: FILTER_SANITIZE_STRIPPED
• Alias of FILTER_SANITIZE_STRING.
![Page 54: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/54.jpg)
Filter Definitions• ID: FILTER_SANITIZE_ENCODED
• Flags:FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH
• Description:URL-encode string, optionally strip or encode special characters.
![Page 55: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/55.jpg)
Filter Definitions• ID: FILTER_SANITIZE_SPECIAL_CHARS • Flags:
FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH
• Description:HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
![Page 56: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/56.jpg)
Filter Definitions• ID: FILTER_UNSAFE_RAW
• Flags:FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP
• Description:Do nothing, optionally strip or encode special characters.
![Page 57: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/57.jpg)
Filter Definitions
• ID: FILTER_SANITIZE_EMAIL
• Description:
Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].
![Page 58: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/58.jpg)
Filter Definitions
• ID: FILTER_SANITIZE_URL
• Description:
Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
![Page 59: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/59.jpg)
Filter Definitions
• ID: FILTER_SANITIZE_NUMBER_INT
• Description:
Remove all characters except digits and +-.
![Page 60: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/60.jpg)
Filter Definitions• ID: FILTER_SANITIZE_NUMBER_FLOAT • Flags:
FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC
• Description:Remove all characters except digits, +- and optionally .,eE.
![Page 61: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/61.jpg)
Filter Definitions
• ID: FILTER_SANITIZE_MAGIC_QUOTES
• Description:Apply addslashes().
![Page 62: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/62.jpg)
Filter Definitions
• ID: FILTER_CALLBACK
• Options:callback function or method
• Description:Call user-defined function to filter data.
![Page 63: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/63.jpg)
![Page 64: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/64.jpg)
Remind: filter_* Functions• filter_has_var -- Checks if variable of specified type
exists • filter_id -- Returns the filter ID belonging to a named
filter • filter_input_array -- Gets multiple variables from outside
PHP and optionally filters them • filter_input -- Gets variable from outside PHP and
optionally filters it • filter_list -- Returns a list of all supported filters • filter_var_array -- Gets multiple variables and optionally
filters them • filter_var -- Filters a variable with a specified filter
![Page 65: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/65.jpg)
• Description: Checks if variable of specified type exists
• Usage:
bool filter_has_var ( int type, string variable_name )
filter_has_var
![Page 66: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/66.jpg)
Example
filter_has_var(INPUT_GET,'searchstr');
is equivalent to
isset($_GET['searchstr'])
![Page 67: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/67.jpg)
• Description: Returns the filter ID belonging to a named filter
• Usage:
int filter_id ( string filtername )
filter_id
![Page 68: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/68.jpg)
• Description: Returns a list of all supported filters
• Usage:
array filter_list ( void )
filter_list
![Page 69: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/69.jpg)
• Description: Gets variable from outside PHP and optionally filters it
• Usage:
mixed filter_input ( int type, string variable_name [, int filter [, mixed options]] )
filter_input
![Page 70: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/70.jpg)
filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
filter_input (INPUT_GET, 'number',FILTER_VALIDATE_INT,array(
'flags' => FILTER_FLAG_ARRAY, 'options' => array('min_range' => 1,
'max_range' => 10) )
);
Example
![Page 71: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/71.jpg)
• Description: Gets multiple variables from outside PHP and optionally filters them
• Usage:
mixed filter_input_array ( int type [, mixed definition] )
filter_input_array
![Page 72: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/72.jpg)
/* Let's say: data come from POST as follows:*/
$_POST = array( 'visitor_name' => 'MgMg', 'visitor_email' => '[email protected]', 'visitor_url' => 'http://myanmar.com');
Example
![Page 73: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/73.jpg)
We can write filter rules like:
$visitor_sanitized_rules = array( 'visitor_name' => FILTER_SANITIZE__SPECIAL_CHARS,
'visitor_email' => FILTER_VALIDATE_EMAIL,'visitor_url' => FILTER_VALIDATE_URL);
Example
![Page 74: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/74.jpg)
Then, we can implement like:
$visitor_inputs = filter_input_array(INPUT_POST, $visitor_sanitized_rules);
Example
![Page 75: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/75.jpg)
No Real Difference!
filter_input(_array) Vs filter_var(_array)
are totally same.
![Page 76: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/76.jpg)
• Description: Filters a variable with a specified filter
• Usage:
mixed filter_var ( mixed variable [, int filter [, mixed options]] )
filter_var
![Page 77: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/77.jpg)
filter_var($_POST['visitor_name'], FILTER_SANITIZE_SPECIAL_CHARS);
filter_var($_POST['visitor_email'], FILTER_VALIDATE_EMAIL);
filter_var($_POST['visitor_url'], FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED);
Example
![Page 78: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/78.jpg)
• Description: Gets multiple variables and optionally filters them
• Usage:
mixed filter_var_array ( array data [, mixed definition] )
filter_var_array
![Page 79: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/79.jpg)
/* Same as before. No big difference:*/
$visitor_data = array( 'visitor_name' => 'MgMg', 'visitor_email' => '[email protected]', 'visitor_url' => 'http://myanmar.com');
Example
![Page 80: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/80.jpg)
We can write filter rules like:
$visitor_sanitized_rules = array( 'visitor_name' => FILTER_SANITIZE__SPECIAL_CHARS,
'visitor_email' => FILTER_VALIDATE_EMAIL,'visitor_url' => FILTER_VALIDATE_URL);
Example
![Page 81: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/81.jpg)
Then, we can implement like:
$visitor_inputs = filter_input_array($visitor_data,
$visitor_sanitized_rules);
Example
![Page 82: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/82.jpg)
Last But Not Least,
Did you notice two things lack in Filter_* Functions ?
![Page 83: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/83.jpg)
First ..
Have to filter twice for some cases like:
$email = $_GET['email'];$email =filter_var($email,FILTER_VALIDATE_EMAIL);$email =filter_var($email,FILTER_SANITIZE_EMAIL);
![Page 84: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/84.jpg)
Second …
No Charset ConversionFunctions!
Do-It-Yourself Exercise!
![Page 85: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/85.jpg)
Thank You!
![Page 86: PHP Built-in String Validation Functions](https://reader036.fdocuments.us/reader036/viewer/2022081513/55491e0eb4c9054c498b6e22/html5/thumbnails/86.jpg)
Reference
• PHP 5.25 Manual