Filtering and Sanitizing ======================== 对用户输入的数æ®è¿›è¡Œè¿‡æ»¤/消毒是软件开å‘çš„é‡è¦ç»„æˆéƒ¨åˆ†ã€‚过分信任或忽略过滤用户输入,å¯èƒ½å¯¼è‡´ç”¨æˆ·è®¿é—®åˆ°æœªç»æŽˆæƒçš„页é¢ï¼Œä¸»è¦æ˜¯ç”¨æˆ·æ•°æ®ï¼Œç”šè‡³æ˜¯ä½ 应用程åºçš„æœåŠ¡å™¨æ‰˜ç®¡çš„æ‰€æœ‰å†…å®¹ã€‚ .. figure:: ../_static/img/sql.png :align: center Full image (from xkcd) :doc:`Phalcon\\Filter <../api/Phalcon_Filter>` 组件æä¾›äº†ä¸€ç»„常用的用于过滤以åŠå¤„ç†ç”¨æˆ·è¾“入数æ®çš„助手工具。它æä¾›äº†ä¸€ç§é¢åƒå¯¹è±¡çš„æ–¹å¼æ¥åŒ…装PHP filter扩展。 Sanitizing data --------------- Sanitizing 处ç†ä»Žå—符串ä¸ç§»é™¤æŒ‡å®šå—ç¬¦ï¼Œè¿™å¹¶ä¸æ˜¯å¿…须的,需è¦å¼€å‘者明确指定。sanitizingåŽçš„用户输入数æ®ï¼Œèƒ½ç¡®ä¿åº”用程åºçš„完整和安全。 .. code-block:: php <?php $filter = new \Phalcon\Filter(); // returns "someone@example.com" $filter->sanitize("some(one)@exa\mple.com", "email"); // returns "hello" $filter->sanitize("hello<<", "string"); // returns "100019" $filter->sanitize("!100a019", "int"); // returns "100019.01" $filter->sanitize("!100a019.01a", "float"); Sanitizing from Controllers --------------------------- ä½ å¯ä»¥åœ¨æŽ§åˆ¶å™¨ä¸è®¿é—® :doc:`Phalcon\\Filter <../api/Phalcon_Filter>` 对象,当需è¦è®¿é—®GET或POSTè¾“å…¥æ•°æ®æ—¶(通过request对象)ã€‚ç¬¬ä¸€ä¸ªå‚æ•°æ˜¯å˜é‡çš„åç§°ï¼Œç¬¬äºŒä¸ªå‚æ•°æ˜¯filter类型。 .. code-block:: php <?php class ProductsController extends \Phalcon\Mvc\Controller { public function indexAction() { } public function saveAction() { // Sanitizing price from input $price = $this->request->getPost("price", "double"); // Sanitizing email from input $email = $this->request->getPost("customerEmail", "email"); } } Filtering Action Parameters --------------------------- 下é¢çš„示例将å‘ä½ å±•ç¤ºå¦‚ä½•åœ¨controller/actionä¸ sanitize Actionçš„å‚æ•°ï¼š .. code-block:: php <?php class ProductsController extends \Phalcon\Mvc\Controller { public function indexAction() { } public function showAction($productId) { $productId = $this->filter->sanitize($productId, "int"); } } Filtering data -------------- 除了sanitizing功能,:doc:`Phalcon\\Filter <../api/Phalcon_Filter>` 还æä¾›äº†åˆ 除或修改输入数æ®çš„è¿‡æ»¤åŠŸèƒ½ï¼Œä»¥ç”Ÿæˆæˆ‘们想è¦çš„æ•°æ®ã€‚ .. code-block:: php <?php $filter = new \Phalcon\Filter(); // returns "Hello" $filter->filter("<h1>Hello</h1>", "striptags"); // returns "Hello" $filter->filter(" Hello ", "trim"); Filters内置类型 ------------------------- The following are the built-in filters provided by this component: +-----------+---------------------------------------------------------------------------+ | Name | Description | +===========+===========================================================================+ | string | Strip tags | +-----------+---------------------------------------------------------------------------+ | email | Remove all characters except letters, digits and !#$%&*+-/=?^_`{|}~@.[]. | +-----------+---------------------------------------------------------------------------+ | int | Remove all characters except digits, plus and minus sign. | +-----------+---------------------------------------------------------------------------+ | float | Remove all characters except digits, dot, plus and minus sign. | +-----------+---------------------------------------------------------------------------+ | alphanum | Remove all characters except [a-zA-Z0-9] | +-----------+---------------------------------------------------------------------------+ | striptags | Applies the strip_tags_ function | +-----------+---------------------------------------------------------------------------+ | trim | Applies the trim_ function | +-----------+---------------------------------------------------------------------------+ | lower | Applies the strtolower_ function | +-----------+---------------------------------------------------------------------------+ | upper | Applies the strtoupper_ function | +-----------+---------------------------------------------------------------------------+ 自定义Filters ------------------------- ä½ å¯ä»¥åˆ›å»ºè‡ªå®šä¹‰è¿‡æ»¤å™¨æ·»åŠ åˆ° :doc:`Phalcon\\Filter <../api/Phalcon_Filter>`。过滤函数å¯ä»¥ä½¿ç”¨åŒ¿å函数的形å¼ï¼š .. code-block:: php <?php $filter = new \Phalcon\Filter(); //Using an anonymous function $filter->add('md5', function($value) { return preg_replace('/[^0-9a-f]/', '', $value); }); //Sanitize with the "md5" filter $filtered = $filter->sanitize($possibleMd5, "md5"); æˆ–è€…ï¼Œå¦‚æžœä½ æ„¿æ„ï¼Œä½ ä¹Ÿå¯ä»¥å®žçŽ°ä¸€ä¸ªè¿‡æ»¤å™¨ç±»ï¼š .. code-block:: php <?php class IPv4Filter { public function filter($value) { return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4); } } $filter = new \Phalcon\Filter(); //Using an object $filter->add('ipv4', new IPv4Filter()); //Sanitize with the "ipv4" filter $filteredIp = $filter->sanitize("127.0.0.1", "ipv4"); Complex Sanitizing and Filtering -------------------------------- PHP本身也æä¾›äº†ä¸€ä¸ªæžå¥½çš„filter扩展,查阅文档:`Data Filtering at PHP Documentation`_ Implementing your own Filter ---------------------------- The :doc:`Phalcon\\FilterInterface <../api/Phalcon_FilterInterface>` interface must be implemented to create your own filtering service replacing the one providing by Phalcon. .. _Data Filtering at PHP Documentation: http://www.php.net/manual/en/book.filter.php .. _strip_tags: http://www.php.net/manual/en/function.strip-tags.php .. _trim: http://www.php.net/manual/en/function.trim.php .. _strtolower: http://www.php.net/manual/en/function.strtolower.php .. _strtoupper: http://www.php.net/manual/en/function.strtoupper.php