ドキュメント

目次

前のトピックへ

< セッションへのデータの保存

次のトピックへ

コンテキストのエスケープ >

このページ

フィルタリングとサニタイジング

Sanitizing user input is a critical part of software development. Trusting or neglecting to sanitize user input could lead to unauthorized access to the content of your application, mainly user data, or even the server your application is hosted on.

../_images/sql.png

Full image (from xkcd)

The Phalcon\Filter component provides a set of commonly used filters and data sanitizing helpers. It provides object-oriented wrappers around the PHP filter extension.

ビルトイン・フィルタの種類

The following are the built-in filters provided by this component:

Name Description
string Strip tags and encode HTML entities, including single and double quotes.
email Remove all characters except letters, digits and !#$%&*+-/=?^_`{|}~@.[].
int Remove all characters except digits, plus and minus sign.
float Remove all characters except digits, dot, plus and minus sign.
alphanum Remove all characters except [a-zA-Z0-9]
striptags Applies the strip_tags function
trim Applies the trim function
lower Applies the strtolower function
upper Applies the strtoupper function

データのサニタイズ

Sanitizing is the process which removes specific characters from a value, that are not required or desired by the user or application. By sanitizing input we ensure that application integrity will be intact.

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns "[email protected]"
$filter->sanitize("some(one)@exa\mple.com", "email");

// Returns "hello"
$filter->sanitize("hello<<", "string");

// Returns "100019"
$filter->sanitize("!100a019", "int");

// Returns "100019.01"
$filter->sanitize("!100a019.01a", "float");

コントローラでのサニタイジング

You can access a Phalcon\Filter object from your controllers when accessing GET or POST input data (through the request object). The first parameter is the name of the variable to be obtained; the second is the filter to be applied on it.

<?php

use Phalcon\Mvc\Controller;

class ProductsController extends Controller
{
    public function indexAction()
    {

    }

    public function saveAction()
    {
        // Sanitizing price from input
        $price = $this->request->getPost("price", "double");

        // Sanitizing email from input
        $email = $this->request->getPost("customerEmail", "email");
    }
}

アクションパラメータのフィルタリング

The next example shows you how to sanitize the action parameters within a controller action:

<?php

use Phalcon\Mvc\Controller;

class ProductsController extends Controller
{
    public function indexAction()
    {

    }

    public function showAction($productId)
    {
        $productId = $this->filter->sanitize($productId, "int");
    }
}

データのフィルタリング

In addition to sanitizing, Phalcon\Filter also provides filtering by removing or modifying input data to the format we expect.

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns "Hello"
$filter->sanitize("<h1>Hello</h1>", "striptags");

// Returns "Hello"
$filter->sanitize("  Hello   ", "trim");

Combining Filters

You can also run multiple filters on a string at the same time by passing an array of filter identifiers as the second parameter:

<?php

use Phalcon\Filter;

$filter = new Filter();

// Returns "Hello"
$filter->sanitize(
    "   <h1> Hello </h1>   ",
    [
        "striptags",
        "trim",
    ]
);

独自フィルタの作成

You can add your own filters to Phalcon\Filter. The filter function could be an anonymous function:

<?php

use Phalcon\Filter;

$filter = new Filter();

// Using an anonymous function
$filter->add(
    "md5",
    function ($value) {
        return preg_replace("/[^0-9a-f]/", "", $value);
    }
);

// Sanitize with the "md5" filter
$filtered = $filter->sanitize($possibleMd5, "md5");

Or, if you prefer, you can implement the filter in a class:

<?php

use Phalcon\Filter;

class IPv4Filter
{
    public function filter($value)
    {
        return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
    }
}

$filter = new Filter();

// Using an object
$filter->add(
    "ipv4",
    new IPv4Filter()
);

// Sanitize with the "ipv4" filter
$filteredIp = $filter->sanitize("127.0.0.1", "ipv4");

複雑なサニタイズとフィルタリング

PHP itself provides an excellent filter extension you can use. Check out its documentation: Data Filtering at PHP Documentation

独自フィルタの実装

The Phalcon\FilterInterface interface must be implemented to create your own filtering service replacing the one provided by Phalcon.

Follow along: