Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
PHP5 Built-in  String Filter Functions For Your Application Security By d0ubl3_h3lix http://yehg.org April 2008
Agenda <ul><li>Why We Use? </li></ul><ul><li>Need to Know </li></ul><ul><li>Secure Practice </li></ul><ul><li>Validation V...
Why We Use? <ul><li>100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none ...
Need to Know <ul><li>A lot more issues in filtering such as encoding issues </li></ul><ul><li>An attacker can send strings...
Secure Practice <ul><li>Always Convert Input/Output  </li></ul><ul><li>to Intended Charset </li></ul><ul><li>Before </li><...
Validation Vs Sanization <ul><li>Validation means the string format is exactly what you want </li></ul><ul><li>Validated S...
<ul><li>PHP5 Built-in </li></ul><ul><li>String Filter </li></ul><ul><li>Functions </li></ul>
htmlspecialchars   <ul><li>Description:  Convert special characters to HTML entities   </li></ul><ul><li>Usage:  string  h...
Quote_Style <ul><li>ENT_COMPAT Will convert double-quotes and leave single-quotes alone. </li></ul><ul><li>ENT_QUOTES </li...
Supported Charsets <ul><li>ISO-8859-1  </li></ul><ul><li>ISO-8859-15  </li></ul><ul><li>UTF-8  </li></ul><ul><li>cp866 (ib...
<ul><li>Not Secure:   </li></ul><ul><li>htmlspecialchars($untrusted_input);  </li></ul><ul><li>Relatively Secure:  </li></...
htmlentities <ul><li>Description: Convert all applicable characters to HTML entities  </li></ul><ul><li>Usage:  string  ht...
Example <ul><li>Not Secure:   </li></ul><ul><li>htmlentities($untrusted_input);  </li></ul><ul><li>Relatively Secure:  </l...
htmlspecialchars vs htmlentities <ul><li>htmlentities() converts every char to html applicable chars while htmlspecialchar...
 
<ul><li>Description: Strip HTML and PHP tags from a string  </li></ul><ul><li>Usage:  string  strip_tags  ( string str [, ...
<ul><li>// Return    Hello Admin!alert('0wned u'); </li></ul><ul><li>strip_tags(&quot;<b>Hello Admin!</b><script>alert('0...
<ul><li>// Return    Hello Admin! </li></ul><ul><li>strip_tags(&quot;Hello Admin!<?php /*attacker's shellcode/backdoor sc...
 
escapeshellcmd <ul><li>Description:  Escape shell metacharacters  - #&;`|*?~<>^()[]{}$, x0A and xFF  </li></ul><ul><li>Usa...
<ul><li>$input = &quot;solution & whoami &&quot; </li></ul><ul><li>escapeshellcmd(&quot;process $input&quot;);  </li></ul>...
 
<ul><li>Description:  Escapes special characters in a string for use in a SQL statement  ; First need to open database con...
mysql_escape_string   <ul><li>Description: Escapes a string for use in a mysql_query ; First need to open database connect...
 
is_* Functions <ul><li>To Check whether a variable is desired </li></ul><ul><li>Type: </li></ul><ul><li>is_array  -- Wheth...
is_* Functions <ul><li>is_float  -- Whether a variable is a float  </li></ul><ul><li>is_int  -- Whether a variable is an i...
Good Practice With is_* <ul><li>For example: </li></ul><ul><li>$start = (isset($_GET['num']) &&    is_numeric($_GET['num']...
 
filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists  </li></ul><ul><li>filter_id  --...
Filterable Types <ul><li>INPUT_POST  ( integer )  </li></ul><ul><ul><li>POST variables.  </li></ul></ul><ul><li>INPUT_GET ...
Filter Options <ul><li>FILTER_FLAG_NONE  ( integer )  </li></ul><ul><ul><li>No flags.  </li></ul></ul><ul><li>FILTER_REQUI...
Filter Options <ul><li>FILTER_REQUIRE_ARRAY  ( integer )  </li></ul><ul><ul><li>Require an array as input.  </li></ul></ul...
Filter Options <ul><li>FILTER_VALIDATE_INT  ( integer )  </li></ul><ul><ul><li>ID of &quot;int&quot; filter.  </li></ul></...
Filter Options <ul><li>FILTER_VALIDATE_REGEXP  ( integer )  </li></ul><ul><ul><li>ID of &quot;validate_regexp&quot; filter...
Filter Options <ul><li>FILTER_VALIDATE_IP  ( integer )  </li></ul><ul><ul><li>ID of &quot;validate_ip&quot; filter.  </li>...
Filter Options <ul><li>FILTER_SANITIZE_STRIPPED  ( integer )  </li></ul><ul><ul><li>ID of &quot;stripped&quot; filter.  </...
Filter Options <ul><li>FILTER_SANITIZE_URL  ( integer )  </li></ul><ul><ul><li>ID of &quot;url&quot; filter.  </li></ul></...
Filter Options <ul><li>FILTER_CALLBACK  ( integer )  </li></ul><ul><ul><li>ID of &quot;callback&quot; filter.  </li></ul><...
Filter Options <ul><li>FILTER_FLAG_STRIP_HIGH  ( integer )  </li></ul><ul><ul><li>Strip characters with ASCII value greate...
Filter Options <ul><li>FILTER_FLAG_NO_ENCODE_QUOTES  ( integer )  </li></ul><ul><ul><li>Don't encode ' and &quot;.  </li><...
Filter Options <ul><li>FILTER_FLAG_ALLOW_THOUSAND  ( integer )  </li></ul><ul><ul><li>Allow thousand separator (,) in &quo...
Filter Options <ul><li>FILTER_FLAG_HOST_REQUIRED   ( integer )  </li></ul><ul><ul><li>Require host in &quot;validate_url&q...
Filter Options <ul><li>FILTER_FLAG_IPV4  ( integer )  </li></ul><ul><ul><li>Allow only IPv4 address in &quot;validate_ip&q...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_INT   </li></ul><ul><li>Options: min_range, max_range  </li></ul><ul><li>F...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_BOOLEAN   </li></ul><ul><li>Flags: FILTER_NULL_ON_FAILURE   </li></ul><ul>...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_FLOAT   </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_THOUSAND   </li></ul><u...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_REGEXP   </li></ul><ul><li>Options: regexp  </li></ul><ul><li>Description:...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_URL   </li></ul><ul><li>Flags: FILTER_FLAG_PATH_REQUIRED ,  FILTER_FLAG_QU...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_EMAIL   </li></ul><ul><li>Description: Validates value as e-mail.   </li><...
Filter Definitions <ul><li>ID:  FILTER_VALIDATE_IP   </li></ul><ul><li>Flags: FILTER_FLAG_IPV4 ,  FILTER_FLAG_IPV6 ,  FILT...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_STRING   </li></ul><ul><li>Flags: FILTER_FLAG_NO_ENCODE_QUOTES ,  FILTER_F...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_STRIPPED   </li></ul><ul><li>Alias of  FILTER_SANITIZE_STRING .  </li></ul>
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_ENCODED   </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW ,  FILTER_FLAG_ST...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_SPECIAL_CHARS   </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW ,  FILTER_F...
Filter Definitions <ul><li>ID:  FILTER_UNSAFE_RAW   </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW ,  FILTER_FLAG_STRIP_HI...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_EMAIL   </li></ul><ul><li>Description: Remove all characters except letter...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_URL   </li></ul><ul><li>Description: Remove all characters except letters,...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_NUMBER_INT   </li></ul><ul><li>Description: Remove all characters except d...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_NUMBER_FLOAT   </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_FRACTION ,  FILT...
Filter Definitions <ul><li>ID:  FILTER_SANITIZE_MAGIC_QUOTES   </li></ul><ul><li>Description: Apply  addslashes() .  </li>...
Filter Definitions <ul><li>ID:  FILTER_CALLBACK   </li></ul><ul><li>Options: callback  function or method   </li></ul><ul>...
 
Remind: filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists  </li></ul><ul><li>filte...
<ul><li>Description: Checks if variable of specified type exists  </li></ul><ul><li>Usage:  bool  filter_has_var  ( int  t...
Example <ul><li>filter_has_var(INPUT_GET,'searchstr');  </li></ul><ul><li>is equivalent to </li></ul><ul><li>isset($_GET['...
<ul><li>Description: Returns the filter ID belonging to a named filter  </li></ul><ul><li>Usage:  int  filter_id  ( string...
<ul><li>Description: Returns a list of all supported filters  </li></ul><ul><li>Usage:  array  filter_list  ( void )   </l...
<ul><li>Description: Gets variable from outside PHP and optionally filters it  </li></ul><ul><li>Usage:  mixed  filter_inp...
<ul><li>filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_input  (INPUT_GET, 'num...
<ul><li>Description: Gets  multiple  variables from outside PHP and optionally filters them  </li></ul><ul><li>Usage:  mix...
<ul><li>/* Let's say: data come from POST as follows:*/ $_POST = array(     'visitor_name'  => 'MgMg',     'visitor_email'...
<ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_nam...
<ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>INPUT_POST,...
No Real Difference! <ul><li>  filter_input(_array)   </li></ul><ul><li>    Vs  </li></ul><ul><li>filter_var(_array)  </li>...
<ul><li>Description: Filters a variable with a specified filter  </li></ul><ul><li>Usage:  mixed  filter_var  ( mixed vari...
<ul><li>filter_var($_POST['visitor_name'], FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_var($_POST['visitor_em...
<ul><li>Description: Gets  multiple  variables and optionally filters them  </li></ul><ul><li>Usage:  mixed  filter_var_ar...
<ul><li>/* Same as before. No big difference:*/ $visitor_data  = array(     'visitor_name'  => 'MgMg',     'visitor_email'...
<ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_nam...
<ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>$visitor_da...
<ul><li>Last But Not Least, </li></ul><ul><li>Did you notice two things lack in Filter_* Functions ? </li></ul>
First .. <ul><li>Have to filter twice for some cases like: </li></ul><ul><li>$email =  $_GET['email']; </li></ul><ul><li>$...
Second … <ul><li>No Charset Conversion </li></ul><ul><li>Functions! </li></ul><ul><li>Do-It-Yourself Exercise!   </li></ul>
<ul><li>Thank You! </li></ul>
Reference <ul><li>PHP 5.25 Manual </li></ul>
Nächste SlideShare
Wird geladen in …5
×

PHP Built-in String Validation Functions

22.621 Aufrufe

Veröffentlicht am

A must for PHP Developers

Veröffentlicht in: Technologie

PHP Built-in String Validation Functions

  1. 1. PHP5 Built-in String Filter Functions For Your Application Security By d0ubl3_h3lix http://yehg.org April 2008
  2. 2. Agenda <ul><li>Why We Use? </li></ul><ul><li>Need to Know </li></ul><ul><li>Secure Practice </li></ul><ul><li>Validation Vs Sanization </li></ul><ul><li>PHP5 Built-in Filtering Functions </li></ul>
  3. 3. Why We Use? <ul><li>100% injection attacks (XSS,SQL,XPATH,OS CMD ...etc) come from inputs where filtering is weak or none </li></ul><ul><li>Be aware of inputs as well as outputs </li></ul><ul><li>You know Garbage In Garbage Out </li></ul><ul><li>For attackers, Garbage In Gold Out </li></ul>
  4. 4. Need to Know <ul><li>A lot more issues in filtering such as encoding issues </li></ul><ul><li>An attacker can send strings in different charset formats </li></ul><ul><li>Causes your visitors’ browser auto-detect and interpret the way the attacker wants </li></ul><ul><li>Reason: Application failed to convert this string to its intended charset since first stored in database </li></ul>
  5. 5. Secure Practice <ul><li>Always Convert Input/Output </li></ul><ul><li>to Intended Charset </li></ul><ul><li>Before </li></ul><ul><li>Intensive Filtering/Sanitization </li></ul>
  6. 6. Validation Vs Sanization <ul><li>Validation means the string format is exactly what you want </li></ul><ul><li>Validated String can't be assumed 'Secure' </li></ul><ul><li>Can't know if validated string might have malicious characters meaningful for various back-end systems </li></ul><ul><li>That's why, validated one needs to be sanitized! </li></ul>
  7. 7. <ul><li>PHP5 Built-in </li></ul><ul><li>String Filter </li></ul><ul><li>Functions </li></ul>
  8. 8. htmlspecialchars <ul><li>Description: Convert special characters to HTML entities </li></ul><ul><li>Usage: string htmlspecialchars ( string string [, int quote_style [, string charset ]] ) </li></ul>
  9. 9. Quote_Style <ul><li>ENT_COMPAT Will convert double-quotes and leave single-quotes alone. </li></ul><ul><li>ENT_QUOTES </li></ul><ul><li>Will convert both double and single quotes. </li></ul><ul><li>ENT_NOQUOTES </li></ul><ul><li>Will leave both double and single quotes unconverted. </li></ul>
  10. 10. Supported Charsets <ul><li>ISO-8859-1 </li></ul><ul><li>ISO-8859-15 </li></ul><ul><li>UTF-8 </li></ul><ul><li>cp866 (ibm866, 866) </li></ul><ul><li>cp1251 (Windows-1251, win-1251, 1251) </li></ul><ul><li>cp1252 (Windows-1252, 1252) </li></ul><ul><li>KOI8-R (koi8-ru, koi8r) </li></ul><ul><li>BIG5 </li></ul><ul><li>GB2312 </li></ul><ul><li>BIG5-HKSCS </li></ul><ul><li>Shift_JIS </li></ul><ul><li>EUC-JP </li></ul>
  11. 11. <ul><li>Not Secure: </li></ul><ul><li>htmlspecialchars($untrusted_input); </li></ul><ul><li>Relatively Secure: </li></ul><ul><li>htmlspecialchars($untrusted_input, ENT_QUOTES, </li></ul><ul><li>&quot; UTF-8 &quot; ); </li></ul>Example
  12. 12. htmlentities <ul><li>Description: Convert all applicable characters to HTML entities </li></ul><ul><li>Usage: string htmlentities ( string string [, int quote_style [, string charset ]] ) </li></ul>
  13. 13. Example <ul><li>Not Secure: </li></ul><ul><li>htmlentities($untrusted_input); </li></ul><ul><li>Relatively Secure: </li></ul><ul><li>htmlentities($untrusted_input, ENT_QUOTES, </li></ul><ul><li>&quot; UTF-8 &quot; ); </li></ul>
  14. 14. htmlspecialchars vs htmlentities <ul><li>htmlentities() converts every char to html applicable chars while htmlspecialchars() converts only: </li></ul><ul><li>& => &amp; </li></ul><ul><ul><ul><li>&quot; => &quot; </li></ul></ul></ul><ul><ul><ul><li>' => ' </li></ul></ul></ul><ul><ul><ul><li>< => &lt; </li></ul></ul></ul><ul><ul><ul><li>> => &gt; </li></ul></ul></ul>
  15. 16. <ul><li>Description: Strip HTML and PHP tags from a string </li></ul><ul><li>Usage: string strip_tags ( string str [, string allowable_tags ] ) </li></ul>strip_tags
  16. 17. <ul><li>// Return  Hello Admin!alert('0wned u'); </li></ul><ul><li>strip_tags(&quot;<b>Hello Admin!</b><script>alert('0wned u');</script>&quot;); </li></ul><ul><li>// Return  <b>Hello Admin!</b> Nice </li></ul><ul><li>strip_tags(&quot;<b>bold</b> <i>Nice</i>&quot; </li></ul><ul><li>, &quot;<b>&quot;); </li></ul>Example: Stripping HTML
  17. 18. <ul><li>// Return  Hello Admin! </li></ul><ul><li>strip_tags(&quot;Hello Admin!<?php /*attacker's shellcode/backdoor script*/?>&quot;); </li></ul><ul><li>It's commonly embedded in images and some binary-like files </li></ul>Example: Stripping PHP
  18. 20. escapeshellcmd <ul><li>Description: Escape shell metacharacters - #&;`|*?~<>^()[]{}$, x0A and xFF </li></ul><ul><li>Usage: string escapeshellcmd ( string command ) </li></ul>
  19. 21. <ul><li>$input = &quot;solution & whoami &&quot; </li></ul><ul><li>escapeshellcmd(&quot;process $input&quot;); </li></ul><ul><li>// Process  solution whoami </li></ul><ul><li>// Escape  & </li></ul>Example
  20. 23. <ul><li>Description: Escapes special characters in a string for use in a SQL statement ; First need to open database connection </li></ul><ul><li>Usage: string mysql_real_escape_string ( string unescaped_string [, resource link_identifier] ) </li></ul>mysql_real_escape_string
  21. 24. mysql_escape_string <ul><li>Description: Escapes a string for use in a mysql_query ; First need to open database connection </li></ul><ul><li>Usage: string mysql_escape_string ( string unescaped_string ) </li></ul>
  22. 26. is_* Functions <ul><li>To Check whether a variable is desired </li></ul><ul><li>Type: </li></ul><ul><li>is_array  -- Whether a variable is an array </li></ul><ul><li>is_binary  --  Whether a variable is a native binary string </li></ul><ul><li>is_bool  --  Whether a variable is a boolean </li></ul><ul><li>is_buffer  -- Whether a variable is a native unicode or binary string </li></ul><ul><li>is_callable  --  Verify that the contents of a variable can be called as a function </li></ul><ul><li>is_double  -- Alias of is_float() </li></ul>
  23. 27. is_* Functions <ul><li>is_float  -- Whether a variable is a float </li></ul><ul><li>is_int  -- Whether a variable is an integer </li></ul><ul><li>is_integer  -- Alias of is_int() </li></ul><ul><li>is_long  -- Alias of is_int() </li></ul><ul><li>is_null  --  Whether a variable is NULL </li></ul><ul><li>is_numeric  --  Whether a variable is a number or a numeric string </li></ul><ul><li>is_object  -- Whether a variable is an object </li></ul><ul><li>is_real  -- Alias of is_float() </li></ul><ul><li>is_resource  --  Whether a variable is a resource </li></ul><ul><li>is_scalar  --  Whether a variable is a scalar </li></ul><ul><li>is_string  -- Whether a variable is a string </li></ul><ul><li>is_unicode  -- Whether a variable is a unicode string </li></ul>
  24. 28. Good Practice With is_* <ul><li>For example: </li></ul><ul><li>$start = (isset($_GET['num']) && is_numeric($_GET['num']))? </li></ul><ul><li>(int)$_GET['num']:die(&quot;Hacking Attempt!&quot;); </li></ul>
  25. 30. filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists </li></ul><ul><li>filter_id  -- Returns the filter ID belonging to a named filter </li></ul><ul><li>filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>filter_input  -- Gets variable from outside PHP and optionally filters it </li></ul><ul><li>filter_list  -- Returns a list of all supported filters </li></ul><ul><li>filter_var_array  -- Gets multiple variables and optionally filters them </li></ul><ul><li>filter_var   -- Filters a variable with a specified filter </li></ul>
  26. 31. Filterable Types <ul><li>INPUT_POST ( integer ) </li></ul><ul><ul><li>POST variables. </li></ul></ul><ul><li>INPUT_GET ( integer ) </li></ul><ul><ul><li>GET variables. </li></ul></ul><ul><li>INPUT_COOKIE ( integer ) </li></ul><ul><ul><li>COOKIE variables. </li></ul></ul><ul><li>INPUT_ENV ( integer ) </li></ul><ul><ul><li>ENV variables. </li></ul></ul><ul><li>INPUT_SERVER ( integer ) </li></ul><ul><ul><li>SERVER variables. </li></ul></ul><ul><li>INPUT_SESSION ( integer ) </li></ul><ul><ul><li>SESSION variables. (not implemented yet in Php5) </li></ul></ul><ul><li>INPUT_REQUEST ( integer ) </li></ul><ul><ul><li>REQUEST variables. (not implemented yet in Php5) </li></ul></ul>
  27. 32. Filter Options <ul><li>FILTER_FLAG_NONE ( integer ) </li></ul><ul><ul><li>No flags. </li></ul></ul><ul><li>FILTER_REQUIRE_SCALAR ( integer ) </li></ul><ul><ul><li>Flag used to require scalar as input Scalar variables are those containing an integer, float, string or boolean. Types array, object and resource are not scalar. </li></ul></ul>
  28. 33. Filter Options <ul><li>FILTER_REQUIRE_ARRAY ( integer ) </li></ul><ul><ul><li>Require an array as input. </li></ul></ul><ul><li>FILTER_FORCE_ARRAY ( integer ) </li></ul><ul><ul><li>Always returns an array. </li></ul></ul><ul><li>FILTER_NULL_ON_FAILURE ( integer ) </li></ul><ul><ul><li>Use NULL instead of FALSE on failure. </li></ul></ul>
  29. 34. Filter Options <ul><li>FILTER_VALIDATE_INT ( integer ) </li></ul><ul><ul><li>ID of &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_BOOLEAN ( integer ) </li></ul><ul><ul><li>ID of &quot;boolean&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_FLOAT ( integer ) </li></ul><ul><ul><li>ID of &quot;float&quot; filter. </li></ul></ul>
  30. 35. Filter Options <ul><li>FILTER_VALIDATE_REGEXP ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_regexp&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_URL ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_VALIDATE_EMAIL ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_email&quot; filter. </li></ul></ul>
  31. 36. Filter Options <ul><li>FILTER_VALIDATE_IP ( integer ) </li></ul><ul><ul><li>ID of &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_DEFAULT ( integer ) </li></ul><ul><ul><li>ID of default (&quot;string&quot;) filter. </li></ul></ul><ul><li>FILTER_UNSAFE_RAW ( integer ) </li></ul><ul><ul><li>ID of &quot;unsafe_raw&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_STRING ( integer ) </li></ul><ul><ul><li>ID of &quot;string&quot; filter. </li></ul></ul>
  32. 37. Filter Options <ul><li>FILTER_SANITIZE_STRIPPED ( integer ) </li></ul><ul><ul><li>ID of &quot;stripped&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_ENCODED ( integer ) </li></ul><ul><ul><li>ID of &quot;encoded&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_SPECIAL_CHARS ( integer ) </li></ul><ul><ul><li>ID of &quot;special_chars&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_EMAIL ( integer ) </li></ul><ul><ul><li>ID of &quot;email&quot; filter. </li></ul></ul>
  33. 38. Filter Options <ul><li>FILTER_SANITIZE_URL ( integer ) </li></ul><ul><ul><li>ID of &quot;url&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_NUMBER_INT ( integer ) </li></ul><ul><ul><li>ID of &quot;number_int&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_NUMBER_FLOAT ( integer ) </li></ul><ul><ul><li>ID of &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_SANITIZE_MAGIC_QUOTES ( integer ) </li></ul><ul><ul><li>ID of &quot;magic_quotes&quot; filter. </li></ul></ul>
  34. 39. Filter Options <ul><li>FILTER_CALLBACK ( integer ) </li></ul><ul><ul><li>ID of &quot;callback&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_OCTAL ( integer ) </li></ul><ul><ul><li>Allow octal notation (0[0-7]+) in &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_HEX ( integer ) </li></ul><ul><ul><li>Allow hex notation (0x[0-9a-fA-F]+) in &quot;int&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_STRIP_LOW ( integer ) </li></ul><ul><ul><li>Strip characters with ASCII value less than 32. </li></ul></ul>
  35. 40. Filter Options <ul><li>FILTER_FLAG_STRIP_HIGH ( integer ) </li></ul><ul><ul><li>Strip characters with ASCII value greater than 127. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_LOW ( integer ) </li></ul><ul><ul><li>Encode characters with ASCII value less than 32. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_HIGH ( integer ) </li></ul><ul><ul><li>Encode characters with ASCII value greater than 127. </li></ul></ul><ul><li>FILTER_FLAG_ENCODE_AMP ( integer ) </li></ul><ul><ul><li>Encode &. </li></ul></ul>
  36. 41. Filter Options <ul><li>FILTER_FLAG_NO_ENCODE_QUOTES ( integer ) </li></ul><ul><ul><li>Don't encode ' and &quot;. </li></ul></ul><ul><li>FILTER_FLAG_EMPTY_STRING_NULL ( integer ) </li></ul><ul><ul><li>(No use for now.) </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_FRACTION ( integer ) </li></ul><ul><ul><li>Allow fractional part in &quot;number_float&quot; filter. </li></ul></ul>
  37. 42. Filter Options <ul><li>FILTER_FLAG_ALLOW_THOUSAND ( integer ) </li></ul><ul><ul><li>Allow thousand separator (,) in &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_ALLOW_SCIENTIFIC ( integer ) </li></ul><ul><ul><li>Allow scientific notation (e, E) in &quot;number_float&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_SCHEME_REQUIRED ( integer ) </li></ul><ul><ul><li>Require scheme in &quot;validate_url&quot; filter. </li></ul></ul>
  38. 43. Filter Options <ul><li>FILTER_FLAG_HOST_REQUIRED ( integer ) </li></ul><ul><ul><li>Require host in &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_PATH_REQUIRED ( integer ) </li></ul><ul><ul><li>Require path in &quot;validate_url&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_QUERY_REQUIRED ( integer ) </li></ul><ul><ul><li>Require query in &quot;validate_url&quot; filter. </li></ul></ul>
  39. 44. Filter Options <ul><li>FILTER_FLAG_IPV4 ( integer ) </li></ul><ul><ul><li>Allow only IPv4 address in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_IPV6 ( integer ) </li></ul><ul><ul><li>Allow only IPv6 address in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_NO_RES_RANGE ( integer ) </li></ul><ul><ul><li>Deny reserved addresses in &quot;validate_ip&quot; filter. </li></ul></ul><ul><li>FILTER_FLAG_NO_PRIV_RANGE ( integer ) </li></ul><ul><ul><li>Deny private addresses in &quot;validate_ip&quot; filter. </li></ul></ul>
  40. 45. Filter Definitions <ul><li>ID: FILTER_VALIDATE_INT </li></ul><ul><li>Options: min_range, max_range </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_OCTAL , FILTER_FLAG_ALLOW_HEX </li></ul><ul><li>Description: Validates value as integer, optionally from the specified range. </li></ul>
  41. 46. Filter Definitions <ul><li>ID: FILTER_VALIDATE_BOOLEAN </li></ul><ul><li>Flags: FILTER_NULL_ON_FAILURE </li></ul><ul><li>Description: Returns TRUE for &quot;1&quot;, &quot;true&quot;, &quot;on&quot; and &quot;yes&quot;, FALSE for &quot;0&quot;, &quot;false&quot;, &quot;off&quot;, &quot;no&quot;, and &quot;&quot;, NULL otherwise. </li></ul>
  42. 47. Filter Definitions <ul><li>ID: FILTER_VALIDATE_FLOAT </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_THOUSAND </li></ul><ul><li>Description: Validates value as float. </li></ul>
  43. 48. Filter Definitions <ul><li>ID: FILTER_VALIDATE_REGEXP </li></ul><ul><li>Options: regexp </li></ul><ul><li>Description: Validates value against regexp, a Perl-compatible regular expression. </li></ul>
  44. 49. Filter Definitions <ul><li>ID: FILTER_VALIDATE_URL </li></ul><ul><li>Flags: FILTER_FLAG_PATH_REQUIRED , FILTER_FLAG_QUERY_REQUIRED </li></ul><ul><li>Description: Validates value as URL, optionally with required components. </li></ul>
  45. 50. Filter Definitions <ul><li>ID: FILTER_VALIDATE_EMAIL </li></ul><ul><li>Description: Validates value as e-mail. </li></ul>
  46. 51. Filter Definitions <ul><li>ID: FILTER_VALIDATE_IP </li></ul><ul><li>Flags: FILTER_FLAG_IPV4 , FILTER_FLAG_IPV6 , FILTER_FLAG_NO_PRIV_RANGE , FILTER_FLAG_NO_RES_RANGE </li></ul><ul><li>Description: Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges. </li></ul>
  47. 52. Filter Definitions <ul><li>ID: FILTER_SANITIZE_STRING </li></ul><ul><li>Flags: FILTER_FLAG_NO_ENCODE_QUOTES , FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP </li></ul><ul><li>Description: Strip tags, optionally strip or encode special characters. </li></ul>
  48. 53. Filter Definitions <ul><li>ID: FILTER_SANITIZE_STRIPPED </li></ul><ul><li>Alias of FILTER_SANITIZE_STRING . </li></ul>
  49. 54. Filter Definitions <ul><li>ID: FILTER_SANITIZE_ENCODED </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH </li></ul><ul><li>Description: URL-encode string, optionally strip or encode special characters . </li></ul>
  50. 55. Filter Definitions <ul><li>ID: FILTER_SANITIZE_SPECIAL_CHARS </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_HIGH </li></ul><ul><li>Description: HTML-escape '&quot;<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. </li></ul>
  51. 56. Filter Definitions <ul><li>ID: FILTER_UNSAFE_RAW </li></ul><ul><li>Flags: FILTER_FLAG_STRIP_LOW , FILTER_FLAG_STRIP_HIGH , FILTER_FLAG_ENCODE_LOW , FILTER_FLAG_ENCODE_HIGH , FILTER_FLAG_ENCODE_AMP </li></ul><ul><li>Description: Do nothing, optionally strip or encode special characters. </li></ul>
  52. 57. Filter Definitions <ul><li>ID: FILTER_SANITIZE_EMAIL </li></ul><ul><li>Description: Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[]. </li></ul>
  53. 58. Filter Definitions <ul><li>ID: FILTER_SANITIZE_URL </li></ul><ul><li>Description: Remove all characters except letters, digits and $-_.+!*'(),{}|~[]`<>#%&quot;;/?:@&=. </li></ul>
  54. 59. Filter Definitions <ul><li>ID: FILTER_SANITIZE_NUMBER_INT </li></ul><ul><li>Description: Remove all characters except digits and +-. </li></ul>
  55. 60. Filter Definitions <ul><li>ID: FILTER_SANITIZE_NUMBER_FLOAT </li></ul><ul><li>Flags: FILTER_FLAG_ALLOW_FRACTION , FILTER_FLAG_ALLOW_THOUSAND , FILTER_FLAG_ALLOW_SCIENTIFIC </li></ul><ul><li>Description: Remove all characters except digits, +- and optionally .,eE. </li></ul>
  56. 61. Filter Definitions <ul><li>ID: FILTER_SANITIZE_MAGIC_QUOTES </li></ul><ul><li>Description: Apply addslashes() . </li></ul>
  57. 62. Filter Definitions <ul><li>ID: FILTER_CALLBACK </li></ul><ul><li>Options: callback function or method </li></ul><ul><li>Description: Call user-defined function to filter data. </li></ul>
  58. 64. Remind: filter_* Functions <ul><li>filter_has_var  -- Checks if variable of specified type exists </li></ul><ul><li>filter_id  -- Returns the filter ID belonging to a named filter </li></ul><ul><li>filter_input_array  -- Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>filter_input  -- Gets variable from outside PHP and optionally filters it </li></ul><ul><li>filter_list  -- Returns a list of all supported filters </li></ul><ul><li>filter_var_array  -- Gets multiple variables and optionally filters them </li></ul><ul><li>filter_var   -- Filters a variable with a specified filter </li></ul>
  59. 65. <ul><li>Description: Checks if variable of specified type exists </li></ul><ul><li>Usage: bool filter_has_var ( int type , string variable_name ) </li></ul>filter_has_var
  60. 66. Example <ul><li>filter_has_var(INPUT_GET,'searchstr'); </li></ul><ul><li>is equivalent to </li></ul><ul><li>isset($_GET['searchstr']) </li></ul>
  61. 67. <ul><li>Description: Returns the filter ID belonging to a named filter </li></ul><ul><li>Usage: int filter_id ( string filtername ) </li></ul>filter_id
  62. 68. <ul><li>Description: Returns a list of all supported filters </li></ul><ul><li>Usage: array filter_list ( void ) </li></ul>filter_list
  63. 69. <ul><li>Description: Gets variable from outside PHP and optionally filters it </li></ul><ul><li>Usage: mixed filter_input ( int type, string variable_name [, int filter [, mixed options ]] ) </li></ul>filter_input
  64. 70. <ul><li>filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_input (INPUT_GET, 'number',FILTER_VALIDATE_INT, </li></ul><ul><li>array( </li></ul><ul><li>'flags' => FILTER_FLAG_ARRAY, </li></ul><ul><li>'options' => array('min_range' => 1, 'max_range' => 10) </li></ul><ul><li>) </li></ul><ul><li> ); </li></ul>Example
  65. 71. <ul><li>Description: Gets multiple variables from outside PHP and optionally filters them </li></ul><ul><li>Usage: mixed filter_input_array ( int type [, mixed definition] ) </li></ul>filter_input_array
  66. 72. <ul><li>/* Let's say: data come from POST as follows:*/ $_POST = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com'); </li></ul>Example
  67. 73. <ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL, </li></ul><ul><li>'visitor_url'     => FILTER_VALIDATE_URL ); </li></ul>Example
  68. 74. <ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>INPUT_POST,  $visitor_sanitized_rules </li></ul><ul><li>); </li></ul>Example
  69. 75. No Real Difference! <ul><li> filter_input(_array) </li></ul><ul><li> Vs </li></ul><ul><li>filter_var(_array) </li></ul><ul><li>are totally same. </li></ul>
  70. 76. <ul><li>Description: Filters a variable with a specified filter </li></ul><ul><li>Usage: mixed filter_var ( mixed variable [, int filter [, mixed options]] ) </li></ul>filter_var
  71. 77. <ul><li>filter_var($_POST['visitor_name'], FILTER_SANITIZE_SPECIAL_CHARS); </li></ul><ul><li>filter_var($_POST['visitor_email'], FILTER_VALIDATE_EMAIL); </li></ul><ul><li>filter_var($_POST['visitor_url'], FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED); </li></ul>Example
  72. 78. <ul><li>Description: Gets multiple variables and optionally filters them </li></ul><ul><li>Usage: mixed filter_var_array ( array data [, mixed definition] ) </li></ul>filter_var_array
  73. 79. <ul><li>/* Same as before. No big difference:*/ $visitor_data  = array(     'visitor_name'  => 'MgMg',     'visitor_email'  => 'mgmg@gmail.com',     'visitor_url'      => 'http://myanmar.com'); </li></ul>Example
  74. 80. <ul><li>We can write filter rules like: </li></ul><ul><li>$visitor_sanitized_rules = array( </li></ul><ul><li>'visitor_name'   => FILTER_SANITIZE__SPECIAL_CHARS, 'visitor_email'    => FILTER_VALIDATE_EMAIL, </li></ul><ul><li>'visitor_url'     => FILTER_VALIDATE_URL ); </li></ul>Example
  75. 81. <ul><li>Then, we can implement like: </li></ul><ul><li>$visitor_inputs = filter_input_array( </li></ul><ul><li>$visitor_data ,  $visitor_sanitized_rules </li></ul><ul><li>); </li></ul>Example
  76. 82. <ul><li>Last But Not Least, </li></ul><ul><li>Did you notice two things lack in Filter_* Functions ? </li></ul>
  77. 83. First .. <ul><li>Have to filter twice for some cases like: </li></ul><ul><li>$email = $_GET['email']; </li></ul><ul><li>$email = </li></ul><ul><li>filter_var($email,FILTER_VALIDATE_EMAIL); </li></ul><ul><li>$email = </li></ul><ul><li>filter_var($email,FILTER_SANITIZE_EMAIL); </li></ul>
  78. 84. Second … <ul><li>No Charset Conversion </li></ul><ul><li>Functions! </li></ul><ul><li>Do-It-Yourself Exercise!  </li></ul>
  79. 85. <ul><li>Thank You! </li></ul>
  80. 86. Reference <ul><li>PHP 5.25 Manual </li></ul>

×