PHP文献译文[原创],毕业论文设计,开题报告,外文翻译

4004
    


来源:
Licence:
联系:
分类:
平台:
环境:
大小:
更新:
标签:
联系方式 :
免费下载 ×

下载APP,支持永久资源免费下载

限免产品服务请联系qq:1585269081

下载APP
免费下载 ×

下载APP,支持永久资源免费下载

下载APP 免费下载
下载 ×

下载APP,资源永久免费


如果出现不能下载的情况,请联系站长,联系方式在下方。

免费下载 ×

下载论文助手APP,资源永久免费

免费获取

如果你已经登录仍然出现不能下载的情况,请【点击刷新】本页面或者联系站长


Translated By Sissi Zeng
Input Validation Using Filter Functions

I’d like to start off this article by thanking you for making it even this far. I’m fully aware that “Input Validation Using Filter Functions” isn’t exactly the sexiest article title in the world!

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly.

In this article I’ll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action. Sound good? Let’s go!

Why Input Validation is Important

Input validation is one of the most important things you can do to ensure code security because input is often times the one thing about your application you cannot directly control. Because you cannot control it, you cannot trust it.

Unfortunately, as programmers we often write things thinking only of how we want them to work. We don’t consider how someone else might want to make them work – either out of curiosity, ignorance, or malice.

I am not going to go into too much detail about the trouble you can get into if you do not validate user input; there’s a really good article on this very site called PHP Security: Cross-Site Scripting Attacks if you want to read up on it. But I will say that validating your input is the first step to ensuring that the code you have written will be executed as intended.

Maybe you are coming to PHP from another language and you might be thinking, “this was never an issue before so why should I care?” The reason validation is an issue is because PHP is loosely typed. This makes PHP great for some things, but it can make things like data validation a little bit trickier because you can pretty much pass anything to anything.

Why Using Built-in Methods is Important

In order to try and make validation a little bit easier, from PHP 5.2.0 onward we can now use the filter_input() and filter_var() functions. I’ll talk about them in more detail soon, but first I want to talk about why we should be using PHP provided functionality instead of relying our own methods or third-party tools.

When you roll your own validation methods, you generally fall into the same trap that you can fall into when designing other functionality: you think about the edge cases you want to think about, not necessarily all of the different vectors that could be used to disguise certain input. Another issue is, if you are anything like me, the first 10 minutes of any code review dealing with hand-rolled validation code is spent tutting because the programmer didn’t do exactly what you would have done. This can lead to programmers spending more time learning the codebase and reading internal documentation that could instead be spent coding.
Some people don’t roll their own, but instead opt for a third-party solution. There are some good ones out there, and in the past I have used OWASP ESAPI for some extra validation. These are better than perhaps the hand-rolled solutions because more eyes have looked over them, but then you have the issue of introducing third-party code into your project. Again, this increases time spent learning a codebase and reading additional documentation instead of coding.

For these reasons, using native functions are better; moreover, because such functions are baked into the language, it means we have one place to go for all PHP documentation. New developers will have a greater chance of knowing what the code is and how best to use it. It will be easier to support as a result of this.

Hopefully by now I have you convinced that validation is important, and that it would be a good idea to use PHP functions to help you achieve your validation needs. If you are not convinced, leave a comment and let’s discuss it.

Some Examples

The filter_input() function was introduced in PHP 5.2.0 and allows you to get an external variable by name and filter it. This is incredibly useful when dealing with $_GET and $_POST data.

Let’s take as an example a simple page that reads a value passed in from the URL and handles it. We know this value should be an integer between 15 and 20.

One way of doing would be something like:

01
02 if (isset($_GET["value"])) {

03 $value = $_GET["value"];

04 }

05 else {

06 $value = false;

07 }

08 if (is_numeric($value) && ($value >= 15 && $value <= 20)) {

09 // run my code

10 }

11 else {

12 // handle the issue

13 }

This is a really basic example and already we are writing more lines that I would like to see.

First, because we can’t be sure $_GET is set, the code performs an appropriate check so that the script doesn’t fall over.

Next is the fact that $value is now a “dirty” variable because it has been directly assigned from a $_GET value. We would need to take care not to use $value anywhere else in the code in case we break anything.

Then there is the issue that 16.0 is valid because is_numeric() okays it.

And finally, we have an issue with the fact that the if statement is a bit of a mouthful to take in and is an extra bit of logic to work through when you are tracing through the code.

Compare the above example now to this:

1
2 $value = filter_input(INPUT_GET, "value", FILTER_VALIDATE_INT,

3 array("options" => array("min_range" => 15, "max_range" => 20)));

4 if ($value) {

5 // run my code

6 }

7 else {

8 // handle the issue

9 }

Doesn’t that make you feel warm and fuzzy?

filter_input() handles the $_GET value not being set, so you don’t have to stress over whether the script is receiving the correct information or not.

You also don’t have to worry about $value being dirty because it has been validated before it has been assigned.

Note now that 16.0 is no longer valid.

And finally, our logic is no longer complicated. It’s just a quick check for a truthy value (filter_input() will return false if the validation fails and null if $_GET["value"] wasn’t set).

Obviously in a real world setting you could extract the array out into a variable stored in a configuration file somewhere so things can get changed without even needing to go into business logic. Gorgeous!

Now you might be thinking that this might be useful for simple scripts that grab a couple of $_GET or $_POST variables, but what about for use inside of functions or classes? Luckily we have filter_var() for that.

The filter_var() function was introduced at the same time as filter_input() and does much the same thing.

1
2 // This is a sample function, do not use this to actually email,

3 // that would be silly.

4 function emailUser($email) {

5 mail($email, "Here is my email", "Some Content");

6 }

The danger here is that is there nothing to stop the mail() function from attempting to send an email to literally any value that could be stored in $email. This could lead to emails not getting sent, or something getting in that can potentially use the function for malicious intent in a worst case scenario.

I have seen people do a check on the result of mail(), which is fine to see if the function completed successfully, but by the time a value is returned the damage is done.

Something like this is much more sane:

01
02 // This is a sample function, do not use this to actually email,

03 // that would be silly.

04 function emailUser($email) {

05 $email = filter_var($email, FILTER_VALIDATE_EMAIL);

06 if ($email !== false) {

07 mail($email, "Here is my email", "Some Content");

08 }

09 else {

10 // handle the issue invalid email address

11 }

12 }

The problem with a lot of examples, the above included, is that they are basic. You might be thinking that filter_var() or filter_input() can’t be used for anything other than basic checking. The fine folks who introduced these functions considered that and allow you to pass in a filter to these functions called FILTER_CALLBACK.

FILTER_CALLBACK allows you to pass in a function you have created that will accept as the input the variable being filtered – this is where you can start to have a lot of fun because you can start applying your own business logic to your filtering.

Some Potential Pitfalls

These functions are pretty great, and they allow you to do some really powerful filtering, which as we have discussed can help improve the security and reliability of your code. There are some potential drawbacks however and I would feel that I was remiss if I didn’t point them out.

The main pitfall is that the functions are only as good as the filter you apply to it. Take the last example using email validation – how FILTER_VALIDATE_EMAIL handles email addresses has changed between 5.2.14 and 5.3.3, and even assuming all your applications run on the same version of PHP there are email addresses that are technically valid that you might not expect. Be sure you know about the filters you are using.

The second pitfall is that people think that if they put in some filters then their code is secure. Filtering your variables goes some way to helping, but it doesn’t make your code 100% safe from abuse. I would love to talk more about this, but that is out of the scope of this article and my word count is already pretty high!

Conclusion

Hopefully you have found this introduction to input validation in PHP useful. And now, time for a call to action!

I want you to take one function in your code, just one, and see what happens to it when you pass in different data types and different values. Then I want you to apply some of the filtering methods discussed here and see if there is a difference in how your code performs. I would love to know how you got on in the comments.
使用过滤功能的输入验证

在开始这篇文章之前,我想感谢你,甚至只是浏览了一下标题。因为我充分认识到“使用过滤功能的输入验证”并不是在世界上最性感的文章标题!

PHP的过滤功能可能不那么吸引人,但如果你学会了如何正确地使用它们,它们可以改善系统的稳定性,安全性,甚至你的代码的可维护性。

在这篇文章中,我将解释为什么输入验证是非常重要的,为什么使用PHP的内置函数执行输入验证是那么重要。然后举出一些例子(即使用filter_input()和filter_var()这两个函数),讨论一些潜在的隐患,最后达到一个不错的,生动的行动呼吁。听起来不错?马上行动吧!

为什么要输入验证是非常重要

为了确保代码的安全性,你可以做的最重要的事情之一就是进行输入验证,因为输入行为对于你的应用程序来说是一件事经常发生的事,但你不能直接控制。因为你无法控制它,所以你也不能相信它。

不幸的是,作为程序员,我们写的程序往往考虑的仅仅是我们希望他们怎么工作。我们没有去考虑别人可能会想如何按他们的想法使程序工作 - 无论是出于好奇,无知或恶意。

我现在不打算深入太多因为没有验证用户输入而遇到的问题细节。如果你想读的话,在一个叫“PHP安全性”的网站,有一非常好很好的文章:《跨站脚本攻击》。但我会说,验证你的输入是确保你所编写的代码将如预期般执行的第一步。

也许你是从另一种语言中来到PHP的,你可能会想,“这是一个以前从来没有过问题,我为什么要关心?”验证,这是一个问题的原因,是因为PHP是弱数据类型。这使得PHP在一些事情上功能很强大,但它可以使像数据验证的事情有点麻烦,因为你几乎可以将任何数据传给任何一种变量。

为什么使用内置方法很重要

为了尝试使验证更容易一点点,从PHP 5.2.0起,我们现在可以使用filter_input()和filter_var()这两个函数。我会尽快地、更细地讲解这两个函数,但首先我想谈谈我们为什么要使用PHP提供的功能,而不是依靠我们自己的方法或第三方的工具。

你使用你自己的验证方法时,通常会落入你在设计其他功能的时候也会遇到的陷阱。你认为边界情况你需要思考,而不必去考虑所有不同的向量,但正是这些掩饰了某些输入。另一个问题是,如果你是像我这样的事,任何代码审查的前10分钟花在处理手卷验证码。因为程序员不会按你会做的方式去做。这可能导致程序员花费更多的时间学习的代码库和阅读可代替用于编码的内部文件。

有些人不使用自己的验证方法,而是选择一个第三方的解决方案,其中也有一些好的。在过去,我也用OWASP的ESAPI来做一些额外的验证。这些比也许手卷的解决方案更好,因为更多的眼睛都在盯着他们以防出错,但你的项目也因此多了由引入第三方的代码而带来的问题。再次,这增加了时间花在学习代码库和阅读其他文档,而不是编码。

由于这些原因,使用本机的功能会更好;此外,由于这些功能是整合到语言中的,这意味着我们得有一个地方去找所有的PHP文档。新的开发者将有一个更大的机会,知道代码是什么,以及如何最好地使用它。作为这一结果,它更容易获得支持。

希望现在,我已经让你相信,验证是非常重要的,使用PHP函数来帮助你实现你的验证需求将会是一个很好的主意。如果你不相信,发表评论,让我们来讨论它。

一些例子

filter_input()函数在PHP5.2.0中引入,并允许你得到外部变量的名字和过滤。这在 $_GET和$_POST数据处理时,是非常有用的。

让我们看看一个简单的页面,以它作为一个例子。读取页面的一个值并把它传递到URL,然后处理它。我们知道,这个值应该是15和20之间的整数。

这样做的方法之一,可以是这样的:

01
02 if (isset($_GET["value"])) {

03 $value = $_GET["value"];

04 }

05 else {

06 $value = false;

07 }

08 if (is_numeric($value) && ($value >= 15 && $value <= 20)) {

09 // run my code

10 }

11 else {

12 // handle the issue

13 }

这是一个非常基本的例子,我们已经写更多的行,这是我所愿意看到的。

首先,因为我们不能确定$ _GET的已被赋值,代码执行适当的检查,使脚本不会出错。

其次是$value现在是一个“脏”的变量,因为它已经直接赋予了从$_GET变量来的值。我们需要照顾,不要在代码中使用$value,以防我们破坏其他什么东西。

再有一个问题就是,16.0 被验证是有效的,因为它通过is_numeric()函数返回的是有效的值。

最后,我们有一个问题,if语句用起来确实有点拗口而且在跟踪代码时发现还有一些额外的逻辑是必须在做。

现在和上面的例子进行比较:

1
2 $value = filter_input(INPUT_GET, "value", FILTER_VALIDATE_INT,

3 array("options" => array("min_range" => 15, "max_range" => 20)));

4 if ($value) {

5 // run my code

6 }

7 else {

8 // handle the issue

9 }

这难道不会让你感觉温暖和模糊?

filter_input()处理没有被设置的$_GET值,所以你不必强调脚本是否接收到正确的信息。

你也不必担心$value的脏数据,因为它在被赋值之前,已经被验证过了。

注意现在的16.0这个值已不再合法有效。

最后,我们的逻辑不再复杂。这只是为truthy的值进行一个快速检查(filter_input()如果验证失败,将返回false;如果没有设置$_GET[“value”],将会返回null)。

显然,在一个真实的世界里,设定你可以提取数组存储在配置文件中的变量到某个地方,这样值可以轻易地改变,甚至无需进入业务逻辑。华丽吧!

现在你可能会想,这可能是有用的仅仅是在获取$_GET或$_POST这对变量值的简单脚本,但在内部的函数或类的使用呢?幸运的是,我们有filter_var()。

filter_var()函数同filter_input()函数一起被被引入语言中,做同样的事情。

1
2 // This is a sample function, do not use this to actually email,

3 // that would be silly.

4 function emailUser($email) {

5 mail($email, "Here is my email", "Some Content");

6 }

这里的危险是,有什么可以阻止试图发送一封电子邮件,从字面上任何值可以存储在$电子邮件的mail()函数。这可能会导致无法发送电子邮件,或东西越来越可能在最坏的情况下使用的恶意功能。

我曾见过人们在邮件结果里进行检查,这是没关系的,看看这个函数成功完成,但当一个值返回伤害已经造成了。

像下面的代码会更加理智点:

01
02 // This is a sample function, do not use this to actually email,

03 // that would be silly.

04 function emailUser($email) {

05 $email = filter_var($email, FILTER_VALIDATE_EMAIL);

06 if ($email !== false) {

07 mail($email, "Here is my email", "Some Content");

08 }

09 else {

10 // handle the issue invalid email address

11 }

12 }

用了很多例子,包括上述的问题是,他们是基本的。你可能会想,不能用于基本检查以外的任何filter_var()或filter_input()。引入这些函数的好伙计们已经考虑到了这个问题,并允许你在一个过滤器传递给这些函数称为FILTER_CALLBACK。

FILTER_CALLBACK使您可以传递到一个经验证的变量到你已经创建好的函数里,它会将这个值当作输入来接受。这是就是你可以开始享受乐趣的地方,因为你可以开始将自己的业务逻辑应用到过滤中去。

一些潜在的隐患

这些功能是非常伟大,他们让你做一些真正强大的过滤,我们已经讨论过,可以帮助提高你的代码的安全性和可靠性。但是也有一些潜在的缺点,我会觉得我是失职的,如果我不指出来。

主要缺陷是,函数要和你应用于它上的过滤器性能一样好。使用电子邮件验证作为最后一个例子, ——FILTER_VALIDATE_EMAIL 如何处理电子邮件地址在5.2.14和5.3.3之间的改变,即使假设所有的应用程序上运行同一版本的PHP,有些电子邮件地址,你也不可能期望望在它技术上是有效,。请确保你知道你所使用的过滤器。

第二个陷阱是,人们认为,如果他们在代码中加入过滤器后他们的代码是安全的。筛选的变量是有一些帮助,但它不会使你的代码100%安全不受虐待。我很想谈谈这个问题,但超出了本文的范围和我的字数已经是相当多了!

结论

希望你发现这个介绍在PHP的输入验证中很有用。现在,呼吁采取行动的时候了!

我想你在你的代码加一个函数,只有一个,当你在不同的数据类型和不同的价值观传递时,看看会发生什么。然后,我想你应用一些在这里讨论的过滤方法,看看是否有在您的代码如何执行差异。我很想知道你是怎么在评论。

免费下载 ×

下载APP,支持永久资源免费下载

下载APP 免费下载
温馨提示
请用电脑打开本网页,即可以免费获取你想要的了。
扫描加我微信 ×

演示

×
登录 ×


下载 ×
论文助手网
论文助手,最开放的学术期刊平台
				暂无来源信息			 
回复
来来来,吐槽点啥吧

作者联系方式

×

向作者索要->