Filtering and Sanitizing
Sanitizing user input is a critical part of software development. Trusting or neglecting to sanitize user input could lead to unauthorized access to the content of your application, mainly user data, or even the server your application is hosted on.

Full image on XKCD
The Phalcon\Filter component provides a set of commonly used filters and data sanitizing helpers. It provides object-oriented wrappers around the PHP filter extension.
Types of Built-in Filters
The following are the built-in filters provided by this component:
Name |
Description |
|
absint |
将值强制转换为整数, 并返回它的绝对值。 |
|
alphanum |
除去[a-zA-Z0-9] 之外的所有字符 |
|
email |
删除所有字符除了字母, 数字和< 0 >! # $ %,* +,/ =? ^ _ < / 0 > {\ |
}~ @。[]”。 |
float |
Remove all characters except digits, dot, plus and minus sign. |
|
float! |
删除除数字、点、加号和减号之外的所有字符, 然后将结果强制转换为浮点型。 |
|
int |
除去所有字符除了数字,加减号。 |
|
int! |
删除除数字、加号和减号之外的所有字符, 并将结果强制转换为整数。 |
|
lower |
Applies the strtolower function |
|
string |
标签和编码HTML实体,包括单引号和双引号。 |
|
striptags |
应用strip_tags函数 |
|
trim |
Applies the trim function |
|
upper |
应用strtoupper函数 |
|
请注意,组件在内部使用filter_varPHP函数。
常数是可用的,可以用来定义所需的过滤类型:
<?php
const FILTER_ABSINT = "absint";
const FILTER_ALPHANUM = "alphanum";
const FILTER_EMAIL = "email";
const FILTER_FLOAT = "float";
const FILTER_FLOAT_CAST = "float!";
const FILTER_INT = "int";
const FILTER_INT_CAST = "int!";
const FILTER_LOWER = "lower";
const FILTER_STRING = "string";
const FILTER_STRIPTAGS = "striptags";
const FILTER_TRIM = "trim";
const FILTER_UPPER = "upper";
Sanitizing data
清理数据是将用户或应用程序不需要或不需要的特定字符从值中删除的过程。 通过对输入进行清理,我们可以确保应用程序的完整性是完整的。
<?php
use Phalcon\Filter;
$filter = new Filter();
// Returns '[email protected]'
$filter->sanitize('some(one)@exa\mple.com', 'email');
// Returns 'hello'
$filter->sanitize('hello<<', 'string');
// Returns '100019'
$filter->sanitize('!100a019', 'int');
// Returns '100019.01'
$filter->sanitize('!100a019.01a', 'float');
Sanitizing from Controllers
You can access a Phalcon\Filter object from your controllers when accessing GET
or POST
input data (through the request object). 第一个参数是要获得的变量的名称; 第二个是应用于它的过滤器。
<?php
use Phalcon\Mvc\Controller;
class ProductsController extends Controller
{
public function indexAction()
{
}
public function saveAction()
{
// Sanitizing price from input
$price = $this->request->getPost('price', 'double');
// Sanitizing email from input
$email = $this->request->getPost('customerEmail', 'email');
}
}
Filtering Action Parameters
下一个例子展示了如何清理控制器动作中的动作参数:
<?php
use Phalcon\Mvc\Controller;
class ProductsController extends Controller
{
public function indexAction()
{
}
public function showAction($productId)
{
$productId = $this->filter->sanitize($productId, 'int');
}
}
Filtering data
In addition to sanitizing, Phalcon\Filter also provides filtering by removing or modifying input data to the format we expect.
<?php
use Phalcon\Filter;
$filter = new Filter();
// Returns 'Hello'
$filter->sanitize('<h1>Hello</h1>', 'striptags');
// Returns 'Hello'
$filter->sanitize(' Hello ', 'trim');
Combining Filters
您还可以同时在一个字符串上运行多个过滤器,方法是传递一个过滤器标识符数组作为第二个参数:
<?php
use Phalcon\Filter;
$filter = new Filter();
// Returns 'Hello'
$filter->sanitize(
' <h1> Hello </h1> ',
[
'striptags',
'trim',
]
);
Adding filters
You can add your own filters to Phalcon\Filter. The filter function could be an anonymous function:
<?php
use Phalcon\Filter;
$filter = new Filter();
// Using an anonymous function
$filter->add(
'md5',
function ($value) {
return preg_replace('/[^0-9a-f]/', '', $value);
}
);
// Sanitize with the 'md5' filter
$filtered = $filter->sanitize($possibleMd5, 'md5');
或者,如果您愿意,您可以在类中实现过滤器:
<?php
use Phalcon\Filter;
class IPv4Filter
{
public function filter($value)
{
return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
}
}
$filter = new Filter();
// Using an object
$filter->add(
'ipv4',
new IPv4Filter()
);
// Sanitize with the 'ipv4' filter
$filteredIp = $filter->sanitize('127.0.0.1', 'ipv4');
Complex Sanitizing and Filtering
PHP itself provides an excellent filter extension you can use. Check out its documentation: Data Filtering at PHP Documentation
Implementing your own Filter
The Phalcon\FilterInterface interface must be implemented to create your own filtering service replacing the one provided by Phalcon.