PHP: Hypertext Preprocessor

除去

例1 メールアドレスの検証、および不正な部分の除去

<?php
$a = 'joe@example.org';
$b = 'bogus - at - example dot org';
$c = '(bogus@example.org)';

$sanitized_a = filter_var($a, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_a, FILTER_VALIDATE_EMAIL)) {
    echo "処理済の (a) はメールアドレスとして有効です。\n";
}

$sanitized_b = filter_var($b, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_b, FILTER_VALIDATE_EMAIL)) {
    echo "処理済のメールアドレスは有効です。";
} else {
    echo "処理済の (b) はメールアドレスとして無効です。\n";
}

$sanitized_c = filter_var($c, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_c, FILTER_VALIDATE_EMAIL)) {
    echo "処理済の (c) はメールアドレスとして有効です。\n";
    echo "処理前: $c\n";
    echo "処理後:  $sanitized_c\n";
}
?>

上の例の出力は以下となります。

処理済の (a) はメールアドレスとして有効です。
処理済の (b) はメールアドレスとして無効です。
処理済の (c) はメールアドレスとして有効です。
処理前: (bogus@example.org)
処理後: bogus@example.org

例2 デフォルトのフィルタの設定

filter.default = full_special_chars
filter.default_flags = 0

Improve This Page

Learn How To Improve This Page • Submit a Pull Request • Report a Bug

＋add a note

User Contributed Notes 2 notes

down

zeeshan dot karamat dot abbas at gmail dot com ¶

9 years ago

If we omit using a filter then PHP by default puts a filter which is FILTER_DEFAULT which will use default filter. Now the question is what is a default filter. A default filter is unsafe_raw which will allow the unsafe raw data passed on to the server. This value is available in php.ini file. It is suggested that a developer should update this value inside php.ini file as under:
filter.default = full_special_chars
filter.default_flags = 0

Whereas in php.ini file above values are by default, set as under:
;filter.default = unsafe_raw
;filter.default_flags = 

Above semicolons are commented out lines so surely one needs to remove those semicolons to apply the changes made. If we do not do above things then what will happen. In that case PHP will use default filter which would surely be FILTER_UNSAFE_RAW and one can see that unsafe raw data can then be passed onto server which can make the life a hacker easier.

down

Chris ¶

9 years ago

While it may seem to be good practice to set the defaults in php.ini you should not assume that the end users server has the same settings as your server. Because of this you should not presume that default filtering will work out of the box for the end user.

You should ensure that all filters are declared at the site of use regardless of your own default settings. A move to a new host even for your own personal application may break due to different settings.

＋add a note