When I started my career as a developer, there was something I always heard from more experienced programmers, something that became a mantra that I always carried with me:
Never trust user data
How many times have we heard of systems that failed, either serious or not, because they didn't handle their data properly? Or of developers who wasted precious time creating specific libraries to handle GET and POST parameters?
We cannot deny that we have to handle our data, and the purpose of this text is to present a simple and safe way to perform this task with PHP.
The filter extension
In PHP 5.2, the filter extension was added by default. Since then, it has become easier to validate and sanitize data without needing to access the superglobals $_POST and $_GET.
In a simple way, there are two types of "tasks" performed by the filtering system:
Validation: ensures that the data meets a specific expectation. It returns a Boolean value if the data does not meet the established criterion.
Sanitization: removes unwanted data from the input based on a criterion and returns the sanitized data.
As it is a native feature of PHP >5.2, no installation is required to access the feature.
Using the Filter
To use the resources of the filter, we have to use one of the filter functions such as filter_input or filter_var. For didactic purposes, the examples in this text will use the filter_input function. Once the default function is defined, let's analyze its prototype:
mixed filter_input( int $type , string $variable_name [, int $filter = FILTER_DEFAULT [, mixed $options ]] );
Note that the only required parameters are type and variable_name. Where type is the constant used to indicate where the external data will be searched and variable_name is the name of the parameter to be searched. For example: $_GET['email']
would be like filter_input(INPUT_GET, 'email')
.
Taking into consideration that each filter is represented by a different constant, the filter parameter indicates the filter constant we will use. If no filter is defined, no filter will be applied by default. The options parameter adds modifiers to the filters, and its usage will be explained later.
Therefore, to apply a filter to a variable, we need the following code:
filter_input(INPUT_CONSTANT, $input_data, FILTER_CONSTANT);
Each filter in the system is represented by a constant. Validation constants are found as FILTER_VALIDATE_*, and sanitization constants are found as FILTER_SANITIZE_*.
Now that we understand the basic concepts, let's see some practical examples:
//SANITIZATION
// emailUser = ((teste@teste.com)&*
// return teste@teste.com
$emailUser = filter_input(INPUT_GET, 'emailUser', FILTER_SANITIZE_EMAIL);
// age = abc1b3
// return 13
$age = filter_input(INPUT_GET, 'age', FILTER_SANITIZE_NUMBER_INT);
//VALIDATION
// The parameter "email" does not exist.
// return NULL
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);
// email = ((teste@teste.com)&*
// return FALSE
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);
// email = teste@teste.com
// return TRUE
filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL);
Modifiers
There are ways to modify the behavior of filters. Validation filters accept options and flags as modifiers, while sanitization filters only accept options.
Let's see an example of validation:
//numberHex = 0xf0
$modificador = [
'options' => [
'default' => 1,
'min_range' => 1,
'max_range' => 240
],
'flags' => FILTER_FLAG_ALLOW_HEX
];
filter_input(INPUT_GET, 'numberHex', FILTER_VALIDATE_INT, $modificador);
In the example above, to validate the numberHex we need an integer value between 1 and 240, if these requirements are not met the function will return what is in default. The flag FILTER_FLAG_ALLOW_HEX allows the function to also work with hexadecimal values, in this case 0xf0 is equal to 240 in decimal.
Now let's see an example of sanitization:
// number = -2.3
// return -23
filter_input(INPUT_GET, 'number', FILTER_SANITIZE_NUMBER_FLOAT);
// number = -2.3
// return -2.3
filter_input(INPUT_GET, 'number', FILTER_SANITIZE_NUMBER_FLOAT, ['flags' => FILTER_FLAG_ALLOW_FRACTION]);
In the code above, the same value is processed in different ways. In the first treatment, the dot is not considered. This happens because the function will only work with fractions if the FILTER_FLAG_ALLOW_FRACTION flag is present.
To conclude
The filter extension is an excellent way to handle your data within PHP without resorting to superglobals or using specific libraries. It is worth delving deeper into its functioning.
You can check the complete documentation of the feature by clicking here.
If you want a more powerful tool for data sanitization, I suggest using my PHPCleanup library.
Hey, did you like the text? Do you have any tips to share? Leave your comment, it will be a pleasure to interact with you.
Top comments (0)