Sagame350 Casino No Deposit Bonus Nederland Review: Als u niet kunt zien een logo overal op de sites hoofdpagina's, kunt u meestal de informatie in de Over ons sectie.
  • Kaartspel In Het Frans - Deze online websites bieden u enkele van de beste gratis spins.
  • Madison Casino No Deposit Bonus Nederland Review: Op de beste casino's in de Verenigde Staten, kunt u spelen Slots van Rabcat.
  • Verschil poker en texas holdem

    Swedencasino No Deposit Bonus Nederland Review
    De beste casino's bieden secties waar statistieken en voorspellingen worden gepresenteerd om gebruikers te helpen de beste keuze te maken.
    Mediamarkt 60 Dagen Geluk Jackpot
    Meest welkome bonussen hebben de neiging om tegemoet te komen aan slot spelers.
    Alles wat we doen in het bestaan ongeacht hoe klein of groot heeft de mogelijkheid voor het coachen van je iets gekoesterd, en het vermogen in de eerste plaats gebaseerd volledig recreatie zoals 21 kaarten rummy echt heeft veel te bieden.

    Theeglazen postcode loterij

    Slot Shining Hot 20 By Pragmatic Play Demo Free Play
    Vrouwelijke wildernis pop-up op de laatste kolom alleen.
    Aladdin Slots Casino No Deposit Bonus Nederland Review
    Maar je bent op zoek naar een beter paartje..
    Betlion Casino No Deposit Bonus Nederland Review

    Input validation with filter functions

    Introduction
    Although PHP has a lot of filter functions available, I found that still to many people are using (often incorrect) regular expressions to validate user input. The filter extension is simple, standard available and will fulfill the common validations. Below some pratical examples and things to consider when working with PHP filter functions.

    Which are available?
    Below a shameless copy paste of the PHP documentation.

    • filter_has_var — Checks if variable of specified type exists
    • filter_id — Returns the filter ID belonging to a named filter
    • filter_input_array — Gets external variables and optionally filters them
    • filter_input — Gets a specific external variable by name and optionally filters it
    • filter_list — Returns a list of all supported filters
    • filter_var_array — Gets multiple variables and optionally filters them
    • filter_var — Filters a variable with a specified filter

    Pratical use

    Sanitizing
    “Filter input escape output” every developer knows this but it is a repetitive job but with the filter extension filterering input became a lot easier. When you correctly filter input you drastically lower the change of application vulnerabilities.

    Sanitizing a single variable

    $sText = ' ';
    $sText = filter_var($sText, FILTER_SANITIZE_STRING);
    echo $sText; // This is a comment from a alert("scriptkiddie");
    

    Sanitizing multiple variables, same principle as above but with an array, the filter will sanitize all values inside the array

    filter_var_array($_POST, FILTER_SANITIZE_STRING);
    

    Validating an email address

    if(filter_var($sEmail, FILTER_VALIDATE_EMAIL) === false) {
         $this->addError('Invalid email address', $sEmail);
    }
    

    Validation a complete array
    Validating all your data at once with a single filter will make your code clear, all in one place and is more easy to maintain an example below.

    $aData = array(
    	'student'	=> 'Sjoerd Maessen',
    	'class'		=> '21',
    	'grades' => array(
    			'math' => 9,
    			'geography' => 66,
    			'gymnastics' => 7.5
    	)
    );
    
    $aValidation = array(
    	'student'	=> FILTER_SANITIZE_STRING,
    	'class'		=> FILTER_VALIDATE_INT,
    	'grades'	=> array(
    				'filter' => FILTER_VALIDATE_INT,
    				'flags'	 => FILTER_FORCE_ARRAY,
    				'options'=> array('min_range'=>0, 'max_range'=>10))
    );
    
    echo '
    ';
    var_dump(filter_var_array($aData, $aValidation));
    
    /*array(3) {
      ["student"]=>
      string(14) "Sjoerd Maessen"
      ["class"]=>
      int(21) // Thats strange, my string is converted
      ["grades"]=>
      array(3) {
        ["math"]=>
        int(9)
        ["geography"]=>
        bool(false) // 66 is > 10
        ["gymnastics"]=>
        bool(false) // 7.5 is not an int
      }
    }*/
    

    Note: okay I did not expect that the string '21' would validate true against FILTER_VALIDATE_INT, after some more testing I also noticed that min_range and max_range only work with FILTER_VALIDATE_INT, when using floats or scalars the options are just ignored, so be aware!

    The sanitizing examples above can be made easily more restrictive by adding flags like FILTER_FLAG_STRIP_LOW to the sanitize filter, FILTER_FLAG_STRIP_LOW will for example strip all characters that have a numerical value below 32.

    Things to consider
    Although the filter functions are some time available some of them aren't flawless, at some points the documentation is missing or very unclear. Another example is the filter_var validation for IPv6 addresses. (see bug report #50117). So it is always a good thing to check if the filter is really doing what you expect it does. Write testcases before using. If you use it correctly you can write your validations in the blink of an eye, and this extension will be your new best friend.

    Links
    Filter functions
    Filter flags

    2 thoughts on “Input validation with filter functions”

    1. These filter functions are definitely a step forward! But they should not be mis-used.

      Don’t use filters to check whether URLs are valid, and don’t use them to validate e-mail addresses. Those entities just shouldn’t be validated that harsh, it’s pointless.

      But as you already pointed out correctly, it’s odd the FILTER_VALIDATE_INT also allows numbers as strings; maybe it’s out of the scope of the filter function set, since values from $_GET variables are mostly string values, which means that if FILTER_VALIDATE_INT would only allow integers, $_GET variables would fail this validation, and that would be odd too…

    2. Be ware that the filters are not bug-free. For example, FILTER_VALIDATE_URL has a huge bug (says – is not invalid character)…

    Leave a Comment

    Your email address will not be published. Required fields are marked *