PHP文献译文[原创].docx

Translated By Sissi ZengInput Validation Using Filter FunctionsId like to start off this article by thanking you for making it even this far. Im fully aware that “Input Validation Using Filter Functions” isnt exactly the sexiest article title in the world!Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly.In this article Ill explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var(), discuss some potential pitfalls, and finish with a nice, juicy call to action. Sound good? Lets go!l Why Input Validation is ImportantInput validation is one of the most important things you can do to ensure code security because input is often times the one thing about your application you cannot directly control. Because you cannot control it, you cannot trust it.Unfortunately, as programmers we often write things thinking only of how we want them to work. We dont consider how someone else might want to make them work either out of curiosity, ignorance, or malice.I am not going to go into too much detail about the trouble you can get into if you do not validate user input; theres a really good article on this very site called PHP Security: Cross-Site Scripting Attacks if you want to read up on it. But I will say that validating your input is the first step to ensuring that the code you have written will be executed as intended.Maybe you are coming to PHP from another language and you might be thinking, “this was never an issue before so why should I care?” The reason validation is an issue is because PHP is loosely typed. This makes PHP great for some things, but it can make things like data validation a little bit trickier because you can pretty much pass anything to anything.l Why Using Built-in Methods is ImportantIn order to try and make validation a little bit easier, from PHP 5.2.0 onward we can now use the filter_input() and filter_var() functions. Ill talk about them in more detail soon, but first I want to talk about why we should be using PHP provided functionality instead of relying our own methods or third-party tools.When you roll your own validation methods, you generally fall into the same trap that you can fall into when designing other functionality: you think about the edge cases you want to think about, not necessarily all of the different vectors that could be used to disguise certain input. Another issue is, if you are anything like me, the first 10 minutes of any code review dealing with hand-rolled validation code is spent tutting because the programmer didnt do exactly what you would have done. This can lead to programmers spending more time learning the codebase and reading internal documentation that could instead be spent coding.Some people dont roll their own, but instead opt for a third-party solution. There are some good ones out there, and in the past I have used OWASP ESAPI for some extra validation. These are better than perhaps the hand-rolled solutions because more eyes have looked over them, but then you have the issue of introducing third-party code into your project. Again, this increases time spent learning a codebase and reading additional documentation instead of coding.For these reasons, using native functions are better; moreover, because such functions are baked into the language, it means we have one place to go for all PHP documentation. New developers will have a greater chance of knowing what the code is and how best to use it. It will be easier to support as a result of this.Hopefully by now I have you convinced that validation is important, and that it would be a good idea to use PHP functions to help you achieve your validation needs. If you are not convinced, leave a comment and lets discuss it.l Some ExamplesThe filter_input() function was introduced in PHP 5.2.0 and allows you to get an external variable by name and filter it. This is incredibly useful when dealing with $_GET and $_POST data.Lets take as an example a simple page that reads a value passed in from the URL and handles it. We know this value should be an integer between 15 and 20. One way of doing would be something like:01= 15 & $value = 20) 09 / run my code1011else 12 / handle the issue13This is a really basic example and already we are writing more lines that I would like to see.First, because we cant be sure $_GET is set, the code performs an appropriate check so that the script doesnt fall over.Next is the fact that $value is now a “dirty” variable because it has been directly assigned from a $_GET value. We would need to take care not to use $value anywhere else in the code in case we break anything.Then there is the issue that 16.0 is valid because is_numeric() okays it.And finally, we have an issue with the fact that the if statement is a bit of a mouthful to take in and is an extra bit of logic to work through when you are tracing through the code.Compare the above example now to this:1 array(min_range = 15, max_range = 20);4if ($value) 5 / run my code67else 8 / handle the issue9Doesnt that make you feel warm and fuzzy?filter_input() handles the $_GET value not being set, so you dont have to stress over whether the script is receiving the correct information or not.You also dont have to worry about $value being dirty because it has been validated before it has been assigned.Note now that 16.0 is no longer valid.And finally, our logic is no longer complicated. Its just a quick check for a truthy value (filter_input() will return false if the validation fails and null if $_GETvalue wasnt set).Obviously in a real world setting you could extract the array out into a variable stored in a configuration file somewhere so things can get changed without even needing to go into business logic. Gorgeous!Now you might be thinking that this might be useful for simple scripts that grab a couple of $_GET or $_POST variables, but what about for use inside of functions or classes? Luckily we have filter_var() for that.The filter_var() function was introduced at the same time as filter_input() and does much the same thing. 1?php2/ This is a sample function, do not use this to actually email,3/ that would be silly.4function emailUser($email) 5 mail($email, Here is my email, Some Content);6The danger here is that is there nothing to stop the mail() function from attempting to send an email to literally any value that could be stored in $email. This could lead to emails not getting sent, or something getting in that can potentially use the function for malicious intent in a worst case scenario.I have seen people do a check on the result of mail(), which is fine to see if the function completed successfully, but by the time a value is returned the damage is done.Something like this is much more sane:01?php02/ This is a sample function, do not use this to actually email,03/ that would be silly.04function emailUser($email) 05 $email = filter_var($email, FILTER_VALIDATE_EMAIL);06 if ($email != false) 07 mail($email, Here is my email, Some Content);08 09 else 10 / handle the issue invalid email address11 12The problem with a lot of examples, the above included, is that they are basic. You might be thinking that filter_var() or filter_input() cant be used for anything other than basic checking. The fine folks who introduced these functions considered that and allow you to pass in a filter to these functions called FILTER_CALLBACK.FILTER_CALLBACK allows you to pass in a function you have created that will accept as the input the variable being filtered this is where you can start to have a lot of fun because you can start applying your own business logic to your filtering.l Some Potential PitfallsThese functions are pretty great, and they allow you to do some really powerful filtering, which as we have discussed can help improve the security and reliability of your code. There are some potential drawbacks however and I would feel that I was remiss if I didnt point them out.The main pitfall is that the functions are only as good as the filter you apply to it. Take the last example using email validation how FILTER_VALIDATE_EMAIL handles email addresses has changed between 5.2.14 and 5.3.3, and even assuming all your applications run on the same version of PHP there are email addresses that are technically valid that you might not expect. Be sure you know about the filters you are using.The second pitfall is that people think that if they put in some filters then their code is secure. Filtering your variables goes some way to helping, but it doesnt make your code 100% safe from abuse. I would love to talk more about this, but that is out of the scope of this article and my word count is already pretty high!l ConclusionHopefully you have found this introduction to input validation in PHP useful. And now, time for a call to action!I want you to take one function in your code, just one, and see what happens to it when you pass in different data types and different values. Then I want you to apply some of the filtering methods discussed here and see if there is a difference in how your code performs. I would love to know how you got on in the comments.使用过滤功能的输入验证在开始这篇文章之前，我想感谢你，甚至只是浏览了一下标题。因为我充分认识到“使用过滤功能的输入验证”并不是在世界上最性感的文章标题！PHP的过滤功能可能不那么吸引人，但如果你学会了如何正确地使用它们，它们可以改善系统的稳定性，安全性，甚至你的代码的可维护性。 在这篇文章中，我将解释为什么输入验证是非常重要的，为什么使用PHP的内置函数执行输入验证是那么重要。然后举出一些例子（即使用filter_input（）和filter_var（）这两个函数），讨论一些潜在的隐患，最后达到一个不错的，生动的行动呼吁。听起来不错？马上行动吧！l 为什么要输入验证是非常重要为了确保代码的安全性，你可以做的最重要的事情之一就是进行输入验证，因为输入行为对于你的应用程序来说是一件事经常发生的事，但你不能直接控制。因为你无法控制它，所以你也不能相信它。不幸的是，作为程序员，我们写的程序往往考虑的仅仅是我们希望他们怎么工作。我们没有去考虑别人可能会想如何按他们的想法使程序工作 - 无论是出于好奇，无知或恶意。我现在不打算深入太多因为没有验证用户输入而遇到的问题细节。如果你想读的话，在一个叫“PHP安全性”的网站，有一非常好很好的文章：跨站脚本攻击。但我会说，验证你的输入是确保你所编写的代码将如预期般执行的第一步。也许你是从另一种语言中来到PHP的，你可能会想，“这是一个以前从来没有过问题，我为什么要关心？”验证，这是一个问题的原因，是因为PHP是弱数据类型。这使得PHP在一些事情上功能很强大，但它可以使像数据验证的事情有点麻烦，因为你几乎可以将任何数据传给任何一种变量。l 为什么使用内置方法很重要为了尝试使验证更容易一点点，从PHP 5.2.0起，我们现在可以使用filter_input（）和filter_var（）这两个函数。我会尽快地、更细地讲解这两个函数，但首先我想谈谈我们为什么要使用PHP提供的功能，而不是依靠我们自己的方法或第三方的工具。你使用你自己的验证方法时，通常会落入你在设计其他功能的时候也会遇到的陷阱。你认为边界情况你需要思考,而不必去考虑所有不同的向量,但正是这些掩饰了某些输入。另一个问题是，如果你是像我这样的事，任何代码审查的前10分钟花在处理手卷验证码。因为程序员不会按你会做的方式去做。这可能导致程序员花费更多的时间学习的代码库和阅读可代替用于编码的内部文件。有些人不使用自己的验证方法，而是选择一个第三方的解决方案，其中也有一些好的。在过去，我也用OWASP的ESAPI来做一些额外的验证。这些比也许手卷的解决方案更好，因为更多的眼睛都在盯着他们以防出错，但你的项目也因此多了由引入第三方的代码而带来的问题。再次，这增加了时间花在学习代码库和阅读其他文档，而不是编码。由于这些原因，使用本机的功能会更好;此外，由于这些功能是整合到语言中的，这意味着我们得有一个地方去找所有的PHP文档。新的开发者将有一个更大的机会，知道代码是什么，以及如何最好地使用它。作为这一结果，它更容易获得支持。 希望现在，我已经让你相信，验证是非常重要的，使用PHP函数来帮助你实现你的验证需求将会是一个很好的主意。如果你不相信，发表评论，让我们来讨论它。l 一些例子filter_input（）函数在PHP5.2.0中引入，并允许你得到外部变量的名字和过滤。这在 $_GET和$_POST数据处理时，是非常有用的。让我们看看一个简单的页面，以它作为一个例子。读取页面的一个值并把它传递到URL，然后处理它。我们知道，这个值应该是15和20之间的整数。 这样做的方法之一，可以是这样的：01= 15 & $value = 20) 09 / run my code1011else 12 / handle the issue13这是一个非常基本的例子，我们已经写更多的行，这是我所愿意看到的。首先，因为我们不能确定$ _GET的已被赋值，代码执行适当的检查，使脚本不会出错。其次是$value现在是一个“脏”的变量，因为它已经直接赋予了从$_GET变量来的值。我们需要照顾，不要在代码中使用$value，以防我们破坏其他什么东西。再有一个问题就是，16.0 被验证是有效的，因为它通过is_numeric（）函数返回的是有效的值。最后,我们有一个问题,if语句用起来确实有点拗口而且在跟踪代码时发现还有一些额外的逻辑是必须在做。现在和上面的例子进行比较：1 array(min_range = 15, max_range = 20);4if ($value) 5 / run my code67else 8 / handle the issue9这难道不会让你感觉温暖和模糊？filter_input（）处理没有被设置的$_GET值，所以你不必强调脚本是否接收到正确的信息。你也不必担心$value的脏数据，因为它在被赋值之前，已经被验证过了。注意现在的16.0这个值已不再合法有效。最后，我们的逻辑不再复杂。这只是为truthy的值进行一个快速检查（filter_input（）如果验证失败，将返回false；如果没有设置$_GET“value”，将会返回null）。显然，在一个真实的世界里，设定你可以提取数组存储在配置文件中的变量到某个地方，这样值可以轻易地改变，甚至无需进入业务逻辑。华丽吧！现在你可能会想，这可能是有用的仅仅是在获取$_GET或$_POST这对变量值的简单脚本，但在内部的函数或类的使用呢？幸运的是，我们有filter_var（）。filter_var（）函数同filter_input（）函数一起被被引入语言中，做同样的事情。1?php2/ This is a sample function, do not