Table Of Contents

Previous topic

把数据存储到Session(Storing data in Session)

Next topic

Reading Configuration

This Page

Filtering and Sanitizing

对用户输入的数据进行过滤/消毒是软件开发的重要组成部分。过分信任或忽略过滤用户输入,可能导致用户访问到未经授权的页面,主要是用户数据,甚至是你应用程序的服务器托管的所有内容。

../_images/sql.png

Full image (from xkcd)

Phalcon\Filter 组件提供了一组常用的用于过滤以及处理用户输入数据的助手工具。它提供了一种面像对象的方式来包装PHP filter扩展。

Sanitizing data

Sanitizing 处理从字符串中移除指定字符,这并不是必须的,需要开发者明确指定。sanitizing后的用户输入数据,能确保应用程序的完整和安全。

<?php

$filter = new \Phalcon\Filter();

// returns "someone@example.com"
$filter->sanitize("some(one)@exa\mple.com", "email");

// returns "hello"
$filter->sanitize("hello<<", "string");

// returns "100019"
$filter->sanitize("!100a019", "int");

// returns "100019.01"
$filter->sanitize("!100a019.01a", "float");

Sanitizing from Controllers

你可以在控制器中访问 Phalcon\Filter 对象,当需要访问GET或POST输入数据时(通过request对象)。第一个参数是变量的名称,第二个参数是filter类型。

<?php

class ProductsController extends \Phalcon\Mvc\Controller
{

    public function indexAction()
    {

    }

    public function saveAction()
    {

        // Sanitizing price from input
        $price = $this->request->getPost("price", "double");

        // Sanitizing email from input
        $email = $this->request->getPost("customerEmail", "email");

    }

}

Filtering Action Parameters

下面的示例将向你展示如何在controller/action中 sanitize Action的参数:

<?php

class ProductsController extends \Phalcon\Mvc\Controller
{

    public function indexAction()
    {

    }

    public function showAction($productId)
    {
        $productId = $this->filter->sanitize($productId, "int");
    }

}

Filtering data

除了sanitizing功能,Phalcon\Filter 还提供了删除或修改输入数据的过滤功能,以生成我们想要的数据。

<?php

$filter = new \Phalcon\Filter();

// returns "Hello"
$filter->filter("<h1>Hello</h1>", "striptags");

// returns "Hello"
$filter->filter("  Hello   ", "trim");

Filters内置类型

The following are the built-in filters provided by this component:

Name Description
string Strip tags
email Remove all characters except letters, digits and !#$%&*+-/=?^_`{|}~@.[].
int Remove all characters except digits, plus and minus sign.
float Remove all characters except digits, dot, plus and minus sign.
alphanum Remove all characters except [a-zA-Z0-9]
striptags Applies the strip_tags function
trim Applies the trim function
lower Applies the strtolower function
upper Applies the strtoupper function

自定义Filters

你可以创建自定义过滤器添加到 Phalcon\Filter。过滤函数可以使用匿名函数的形式:

<?php

$filter = new \Phalcon\Filter();

//Using an anonymous function
$filter->add('md5', function($value) {
    return preg_replace('/[^0-9a-f]/', '', $value);
});

//Sanitize with the "md5" filter
$filtered = $filter->sanitize($possibleMd5, "md5");

或者,如果你愿意,你也可以实现一个过滤器类:

<?php

class IPv4Filter
{

    public function filter($value)
    {
        return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
    }

}

$filter = new \Phalcon\Filter();

//Using an object
$filter->add('ipv4', new IPv4Filter());

//Sanitize with the "ipv4" filter
$filteredIp = $filter->sanitize("127.0.0.1", "ipv4");

Complex Sanitizing and Filtering

PHP本身也提供了一个极好的filter扩展,查阅文档:Data Filtering at PHP Documentation

Implementing your own Filter

The Phalcon\FilterInterface interface must be implemented to create your own filtering service replacing the one providing by Phalcon.