PHP 5 Advanced: Visual QuickPro Guide | 2
Security Techniques: Part 2
[Excerpted from PHP 5 Advanced: Visual QuickPro Guide by Larry Ullman. Copyright © 2007. Used with permission of Pearson Education, Inc. and Peachpit Press.]
Using PECL Filter
New in PHP 5 and quite promising is the Filter library of PECL code. Being developed by PHP's creator and other major contributors, the future of Filter looks bright, even though it's still in beta form (at the time of this writing). The Filter package provides two types of security:
- Data validation by type
- Data sanitization
What Filter offers is a unified interface for performing common types of validation and sanitization. For example, I might commonly use code like this:
I could instead do this:
That might look like jabberwocky, but once you get the hang of Filter, the amount of work you can do in just a line of code will be worth the learning curve.
To filter individual variables, there are two functions you'll use:
filter_var(). The first one is for working with variables coming from an outside source, like forms, cookies, sessions, and the server. The second is for variables within your own code. I'll focus on
filter_input() here. Its syntax is:
The sources, which the PHP manual calls "types," are:
INPUT_REQUEST. As you can probably guess, each of these corresponds to a global variable (
$_POST, etc.). For example, if a page receives data in the URL, you'd use
The second argument—the variable name—is the specific variable within the source that should be addressed. The
$filter argument indicates the filter to apply, using the constants in Table 4.2. This argument is optional, as a default filter will be used if none is specified. Some filters also take options, like the
FILTER_VALIDATE_INT in the preceding example (which can take a range).
Filters by Name
Table 4.2. These constants represent some of the filters that can be applied to data. For a complete list, see the PHP manual or invoke the
||Confirms an integer, optionally in a range|
||Confirms a float|
||Matches a PCRE pattern|
||Matches a URL|
||Matches an email address|
||URL-encodes a string|
filter_input() function will return the filtered variable if the filtration or validation was successful, the Boolean
FALSE if the filter didn't apply to the data, or the value
NULL if the named variable didn't exist in the given input. Thus you have multiple levels of validation in just one step.
There's really a lot of information packed into just a few functions here, but I want to present a sample of how you would use the Filter library. To do so, I'll create a modified version of the registration form (Figure 4.4). Note that as of PHP 5.2, Filter is built into PHP. If you're using an earlier version, you may need to install it using the pecl installer (see the PHP manual for more).
Figure 4.4: This new registration form lacks the password and date of birth inputs.