Input Validation Using Filter Functions

-

The filter_input() function was introduced in PHP 5.2.0 and allows you to get an external variable by name and filter it. This is incredibly useful when dealing with $_GET and $_POST data.

Let’s take as an example a simple page that reads a value passed in from the URL and handles it. We know this value should be an integer between 15 and 20.

One way of doing would be something like:

<?php
if (isset($_GET["value"])) {
    $value = $_GET["value"];
}
else {
    $value = false;
}
if (is_numeric($value) && ($value >= 15 && $value <= 20)) {
    // run my code
}
else {
    // handle the issue
}
This is a really basic example and already we are writing more lines that I would like to see. First, because we can’t be sure $_GET is set, the code performs an appropriate check so that the script doesn’t fall over.
Next is the fact that $value is now a “dirty” variable because it has been directly assigned from a $_GET value. We would need to take care not to use $value anywhere else in the code in case we break anything.
Then there is the issue that 16.0 is valid because is_numeric() okays it.
And finally, we have an issue with the fact that the if statement is a bit of a mouthful to take in and is an extra bit of logic to work through when you are tracing through the code.
Compare the above example now to this:
<?php
$value = filter_input(INPUT_GET, "value", FILTER_VALIDATE_INT,
    array("options" => array("min_range" => 15, "max_range" => 20)));
if ($value) {
    // run my code
}
else {
    // handle the issue
}
Doesn’t that make you feel warm and fuzzy?

filter_input() handles the $_GET value not being set, so you don’t have to stress over whether the script is receiving the correct information or not.

You also don’t have to worry about $value being dirty because it has been validated before it has been assigned.
Note now that 16.0 is no longer valid.

And finally, our logic is no longer complicated. It’s just a quick check for a truthy value (filter_input() will return false if the validation fails and null if $_GET["value"] wasn’t set).

Obviously in a real world setting you could extract the array out into a variable stored in a configuration file somewhere so things can get changed without even needing to go into business logic. Gorgeous!

Now you might be thinking that this might be useful for simple scripts that grab a couple of $_GET or $_POST variables, but what about for use inside of functions or classes? Luckily we have filter_var() for that.

The filter_var() function was introduced at the same time as filter_input() and does much the same thing.
<?php
// This is a sample function, do not use this to actually email,
// that would be silly.
function emailUser($email) {
    mail($email, "Here is my email", "Some Content");
}
The danger here is that is there nothing to stop the mail() function from attempting to send an email to literally any value that could be stored in $email. This could lead to emails not getting sent, or something getting in that can potentially use the function for malicious intent in a worst case scenario.

I have seen people do a check on the result of mail(), which is fine to see if the function completed successfully, but by the time a value is returned the damage is done.

Something like this is much more sane:
<?php
// This is a sample function, do not use this to actually email,
// that would be silly.
function emailUser($email) {
    $email = filter_var($email, FILTER_VALIDATE_EMAIL);
    if ($email !== false) {
        mail($email, "Here is my email", "Some Content");
    }
    else {
        // handle the issue invalid email address
    }
}
The problem with a lot of examples, the above included, is that they are basic. You might be thinking that filter_var() or filter_input() can’t be used for anything other than basic checking. The fine folks who introduced these functions considered that and allow you to pass in a filter to these functions called FILTER_CALLBACK.

FILTER_CALLBACK allows you to pass in a function you have created that will accept as the input the variable being filtered – this is where you can start to have a lot of fun because you can start applying your own business logic to your filtering.
Tags : Php Filtering, Input filtering, Php, Php Filters
















































Comments









  1. Admiral AdneyJune 20, 2012 at 4:14 AM
    i am new to symfony web development and i must say > Wow, astonishing blog layout! How long have you been blogging for? 
    you make blogging gaze easy. The general gaze of your location is very good,
    as well as the content!
    ReplyDelete











Post a Comment































Popular posts from this blog









Create Desktop Application with PHP






-














Image







    Here we will show you how you can create a web-based desktop application using PHP, CSS, HTML, and JavaScript with the help of PHP Desktop. In fact, PHP Desktop is an easy and simple solution we can use to create very powerful and complex desktop application.       What Is PHP Desktop?     PHP Desktop is an open source project founded by Czarek Tomczak in 2012 to provide a way for developing native desktop GUI applications using web technologies such as PHP, HTML5, JavaScript and SQLite.     Mind you, the development workflow you are used to while creating web applications remains the same. The step of turning an existing website into a desktop application is basically a matter of copy and paste.     PHPDesktop is an all-made container that will just swallow your project. With that, you can easily transform an existing website into a desktop application without any modification. When you download PHP Desktop , you will have some set of files and folders; among them you will have a 








Read more










Insert pandas dataframe into Mongodb






-














Image







    Insert pandas dataframe into Mongodb     Pandas is most commonly used open-source Python Library for data manipulation, it provides high-performance data manipulation and analysis using its powerful data structures.     Here we use pandas library to insert dataframe into Mongodb. I am taking Yahoo finance library to get dataset for a ticker and save that data into Mongo.      First, we import all the necessary libraries        from pandas_datareader import data as pdr    import pandas as pd    from pymongo import MongoClient    import yfinance as yf    yf.pdr_override()       We get data from yahoo finance          # download dataframe    data1 = pdr.get_data_yahoo("SPY", start="2017-01-01", end="2017-01-15")       Now, we make a connection to Mongodb.     Here I am connecting to local MongoDb Server on port 27018 and then creating a database with the name `finance`. MongoDB has a collection(table) and I name it as `mycollection`.       #Step 1: Connec








Read more










Python desktop application






-














Image







   Simple Python desktop application     This is a continuation to my previous tutorial ( Python GUI using PyQt ). Anyway I will recap the tutorial on how to develop Python Desktop Application using PyQt5.     PyQt is a GUI widgets toolkit. It is a Python interface for Qt, one of the most powerful, and popular cross-platform GUI library.       PyQt API is a set of modules containing a large number of classes and functions. While QtCore module contains non-GUI functionality for working with file and directory etc.,      Environments:   PyQt is compatible with all the popular operating systems including Windows, Linux, and Mac OS.      Pip Install:   The latest version of PyQt is PyQt5 5.14.1.  You can install pyqt using      pip install PyQt5        In this tutorial, we are going to create a simple GUI app to add and delete records in a table using SQLite database.     First, we need to create a database connection file with name `create_db.py`.     A connection with a SQLite database i








Read more