PHP的输入过滤器

PHP代码
  1. $result = filter_input(INPUT_GET, ‘email’, FILTER_VALIDATE_EMAIL);  
  2. var_dump($result);  
  3. ?>  

简介

This extension serves for validating and filtering data coming usually from some insecure source such as user input.

该扩展用于检验和过滤来自不安全途径的数据,比如说用户的输入。

The following filters currently exist, be sure to read the Filter Constants section for information that describes the behavior of each constant:

下边这些过滤器是当前已经有的,请阅读过滤器常量小节查看各个常量的行为描述。

表 1. Existing filters

<table border="1" class="CALSTABLE">
  <colgroup> <col></col> <col></col> <col></col> <col></col> </colgroup> <tr>
    <th>
      ID
    </th>
    
    <th>
      Name
    </th>
    
    <th>
      Options
    </th>
    
    <th>
      Flags
    </th>
    
    <th>
      Description
    </th>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_INT</strong></tt>
    </td>
    
    <td>
      "int"
    </td>
    
    <td>
      <code class="parameter">min_range</code>, <code class="parameter">max_range</code>
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_ALLOW_OCTAL</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ALLOW_HEX</strong></tt>
    </td>
    
    <td>
      Validates value as integer, optionally from the specified range.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_BOOLEAN</strong></tt>
    </td>
    
    <td>
      "boolean"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Returns <tt class="constant"><strong>TRUE</strong></tt> for "1", "true", "on" and "yes", <tt class="constant"><strong>FALSE</strong></tt> for "0", "false", "off", "no", and "", <tt class="constant"><strong>NULL</strong></tt> otherwise.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_FLOAT</strong></tt>
    </td>
    
    <td>
      "float"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Validates value as float.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_REGEXP</strong></tt>
    </td>
    
    <td>
      "validate_regexp"
    </td>
    
    <td>
      <code class="parameter">regexp</code>
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Validates value against <code class="parameter">regexp</code>, a <a href="ref.pcre.html">Perl-compatible</a> regular expression.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_URL</strong></tt>
    </td>
    
    <td>
      "validate_url"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_SCHEME_REQUIRED</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_HOST_REQUIRED</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_PATH_REQUIRED</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_QUERY_REQUIRED</strong></tt>
    </td>
    
    <td>
      Validates value as URL, optionally with required components.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_EMAIL</strong></tt>
    </td>
    
    <td>
      "validate_email"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Validates value as e-mail.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_VALIDATE_IP</strong></tt>
    </td>
    
    <td>
      "validate_ip"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_IPV4</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_IPV6</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_NO_PRIV_RANGE</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_NO_RES_RANGE</strong></tt>
    </td>
    
    <td>
      Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_STRING</strong></tt>
    </td>
    
    <td>
      "string"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_NO_ENCODE_QUOTES</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_STRIP_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_STRIP_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_AMP</strong></tt>
    </td>
    
    <td>
      Strip tags, optionally strip or encode special characters.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_STRIPPED</strong></tt>
    </td>
    
    <td>
      "stripped"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Alias of "string" filter.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_ENCODED</strong></tt>
    </td>
    
    <td>
      "encoded"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_STRIP_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_STRIP_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_HIGH</strong></tt>
    </td>
    
    <td>
      URL-encode string, optionally strip or encode special characters.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_SPECIAL_CHARS</strong></tt>
    </td>
    
    <td>
      "special_chars"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_STRIP_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_STRIP_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_HIGH</strong></tt>
    </td>
    
    <td>
      HTML-escape <tt class="literal">'"<>&</tt> and characters with ASCII value less than 32, optionally strip or encode other special characters.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_UNSAFE_RAW</strong></tt>
    </td>
    
    <td>
      "unsafe_raw"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_STRIP_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_STRIP_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_LOW</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_HIGH</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ENCODE_AMP</strong></tt>
    </td>
    
    <td>
      Do nothing, optionally strip or encode special characters.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_EMAIL</strong></tt>
    </td>
    
    <td>
      "email"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Remove all characters except letters, digits and <tt class="literal">!#$%&'*+-/=?^_`{|}~@.[]</tt>.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_URL</strong></tt>
    </td>
    
    <td>
      "url"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Remove all characters except letters, digits and <tt class="literal">$-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=</tt>.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_NUMBER_INT</strong></tt>
    </td>
    
    <td>
      "number_int"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Remove all characters except digits and <tt class="literal">+-</tt>.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_NUMBER_FLOAT</strong></tt>
    </td>
    
    <td>
      "number_float"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <tt class="constant"><strong>FILTER_FLAG_ALLOW_FRACTION</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ALLOW_THOUSAND</strong></tt>, <tt class="constant"><strong>FILTER_FLAG_ALLOW_SCIENTIFIC</strong></tt>
    </td>
    
    <td>
      Remove all characters except digits, <tt class="literal">+-</tt> and optionally <tt class="literal">.,eE</tt>.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_SANITIZE_MAGIC_QUOTES</strong></tt>
    </td>
    
    <td>
      "magic_quotes"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      Apply <a href="function.addslashes.html"><strong class="function">addslashes()</strong></a>.
    </td>
  </tr>
  
  <tr>
    <td>
      <tt class="constant"><strong>FILTER_CALLBACK</strong></tt>
    </td>
    
    <td>
      "callback"
    </td>
    
    <td>
      &nbsp;
    </td>
    
    <td>
      <a href="language.pseudo-types.html#language.types.callback"><strong class="type">callback</strong></a> function or method
    </td>
    
    <td>
      Call user-defined function to filter data.
    </td>
  </tr>
</table>

可以通过php.ini查看是否支持filter.

filter

  <td class="v">
    enabled
  </td>
</tr>

<tr>
  <td class="e">
    Revision
  </td>
  
  <td class="v">
    $Revision: 1.52.2.39 $
  </td>
</tr>
Input Validation and Filtering

  <th>
    Local Value
  </th>
  
  <th>
    Master Value
  </th>
</tr>

<tr>
  <td class="e">
    filter.default
  </td>
  
  <td class="v">
    unsafe_raw
  </td>
  
  <td class="v">
    unsafe_raw
  </td>
</tr>

<tr>
  <td class="e">
    filter.default_flags
  </td>
  
  <td class="v">
    <em>no value</em>
  </td>
  
  <td class="v">
    <em>no value</em>
  </td>
</tr>
Directive

使用:
参考本文前边的例子,用 ?email=email@host.com 和 ?email=invalidemail.address 测试。