Filtering and Sanitizing

Sanitizing user input is a critical part of software development. Trusting or neglecting to sanitize user input could lead to unauthorized access to the content of your application, mainly user data, or even the server your application is hosted on.

Full image on XKCD

The Phalcon\Filter component provides a set of commonly used filters and data sanitizing helpers. It provides object-oriented wrappers around the PHP filter extension.

Types of Built-in Filters

The following are the built-in filters provided by this component:

Name Description  
absint 将值强制转换为整数, 并返回它的绝对值。  
alphanum 除去[a-zA-Z0-9] 之外的所有字符  
email 删除所有字符除了字母, 数字和< 0 >! # $ %,* +,/ =? ^ _ < / 0 > {\ }~ @。[]”。
float Remove all characters except digits, dot, plus and minus sign.  
float! 删除除数字、点、加号和减号之外的所有字符, 然后将结果强制转换为浮点型。  
int 除去所有字符除了数字,加减号。  
int! 删除除数字、加号和减号之外的所有字符, 并将结果强制转换为整数。  
lower Applies the strtolower function  
string 标签和编码HTML实体,包括单引号和双引号。  
striptags 应用strip_tags函数  
trim Applies the trim function  
upper 应用strtoupper函数  

请注意,组件在内部使用filter_varPHP函数。

常数是可用的,可以用来定义所需的过滤类型:

<?php
const FILTER_ABSINT     = "absint";
const FILTER_ALPHANUM   = "alphanum";
const FILTER_EMAIL      = "email";
const FILTER_FLOAT      = "float";
const FILTER_FLOAT_CAST = "float!";
const FILTER_INT        = "int";
const FILTER_INT_CAST   = "int!";
const FILTER_LOWER      = "lower";
const FILTER_STRING     = "string";
const FILTER_STRIPTAGS  = "striptags";
const FILTER_TRIM       = "trim";
const FILTER_UPPER      = "upper";

Sanitizing data

清理数据是将用户或应用程序不需要或不需要的特定字符从值中删除的过程。 通过对输入进行清理,我们可以确保应用程序的完整性是完整的。

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns '[email protected]'
$filter->sanitize('some(one)@exa\mple.com', 'email');

// Returns 'hello'
$filter->sanitize('hello<<', 'string');

// Returns '100019'
$filter->sanitize('!100a019', 'int');

// Returns '100019.01'
$filter->sanitize('!100a019.01a', 'float');

Sanitizing from Controllers

You can access a Phalcon\Filter object from your controllers when accessing GET or POST input data (through the request object). 第一个参数是要获得的变量的名称; 第二个是应用于它的过滤器。

<?php

use Phalcon\Mvc\Controller;

class ProductsController extends Controller
{
    public function indexAction()
    {

    }

    public function saveAction()
    {
        // Sanitizing price from input
        $price = $this->request->getPost('price', 'double');

        // Sanitizing email from input
        $email = $this->request->getPost('customerEmail', 'email');
    }
}

Filtering Action Parameters

下一个例子展示了如何清理控制器动作中的动作参数:

<?php

use Phalcon\Mvc\Controller;

class ProductsController extends Controller
{
    public function indexAction()
    {

    }

    public function showAction($productId)
    {
        $productId = $this->filter->sanitize($productId, 'int');
    }
}

Filtering data

In addition to sanitizing, Phalcon\Filter also provides filtering by removing or modifying input data to the format we expect.

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns 'Hello'
$filter->sanitize('<h1>Hello</h1>', 'striptags');

// Returns 'Hello'
$filter->sanitize('  Hello   ', 'trim');

Combining Filters

您还可以同时在一个字符串上运行多个过滤器,方法是传递一个过滤器标识符数组作为第二个参数:

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns 'Hello'
$filter->sanitize(
    '   <h1> Hello </h1>   ',
    [
        'striptags',
        'trim',
    ]
);

Adding filters

You can add your own filters to Phalcon\Filter. The filter function could be an anonymous function:

<?php

use Phalcon\Filter;

$filter = new Filter();

// Using an anonymous function
$filter->add(
    'md5',
    function ($value) {
        return preg_replace('/[^0-9a-f]/', '', $value);
    }
);

// Sanitize with the 'md5' filter
$filtered = $filter->sanitize($possibleMd5, 'md5');

或者,如果您愿意,您可以在类中实现过滤器:

<?php

use Phalcon\Filter;

class IPv4Filter
{
    public function filter($value)
    {
        return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
    }
}

$filter = new Filter();

// Using an object
$filter->add(
    'ipv4',
    new IPv4Filter()
);

// Sanitize with the 'ipv4' filter
$filteredIp = $filter->sanitize('127.0.0.1', 'ipv4');

Complex Sanitizing and Filtering

PHP itself provides an excellent filter extension you can use. Check out its documentation: Data Filtering at PHP Documentation

Implementing your own Filter

The Phalcon\FilterInterface interface must be implemented to create your own filtering service replacing the one provided by Phalcon.