Php 简明教程
PHP - Sanitize Input
在 PHP 中,重要的是要确保在服务器端代码处理输入数据之前,通过删除任何不需要的字符来正确清理输入数据。通常,用户通过 HTML 表单向 PHP Web 应用程序输入其数据。如果表单数据包含任何不需要的字符,可能会造成损害,因此必须执行适当的清理操作。
In PHP, it is important to ensure that the input data is sanitized properly by removed any undesired characters before it is processed by the server side code. Usually, the users input their data to a PHP web application through a HTML form. If the form data consists of any undesired characters, it may prove to be harmful, hence an appropriate cleansing operation must be performed.
输入清理可以使用 PHP 中以下一个或多个函数的帮助进行。
Input sanitization can be done with the help of one or more of the following functions in PHP.
The htmlspecialchars() Function
此函数将特殊字符转换为 HTML 实体。
This function converts special characters to HTML entities.
htmlspecialchars(
string $string,
int $flags = ENT_QUOTES | ENT_SUBSTITUTE | ENT_HTML401,
?string $encoding = null,
bool $double_encode = true
): string在 HTML 中,某些字符有着特殊的意义。这个 htmlspecialchars() 函数用于对 HTML 实体中的特殊字符进行编码。当您希望将用户输入显示为 HTML 时,这将非常有用,而且希望防止脚本注入攻击。
In HTML, certain characters have special significance. This htmlspecialchars() function is used to encode special characters in HTML entities. This is useful when you want to display user input as HTML and want to prevent script injection attacks.
以下 special characters 按下述所示方式翻译 −
The following special characters are translated as shown −
Character |
Replaced by |
& (ampersand) |
& |
" (double quote) |
", unless ENT_NOQUOTES is set |
' (single quote) |
' (for ENT_HTML401) or ' (for ENT_XML1, ENT_XHTML or ENT_HTML5), but only when ENT_QUOTES is set |
< (less than) |
< |
> (greater than) |
> |
Flag Constants
flags 参数是一个或多个以下标志的位掩码,它们指定如何处理引号、无效的代码单元序列和使用的文档类型。
The flags parameter is a bitmask of one or more of the following flags, which specify how to handle quotes, invalid code unit sequences and the used document type.
Sr.No |
Constant & Description |
1 |
ENT_COMPAT Will convert double-quotes and leave single-quotes alone. |
2 |
ENT_QUOTES Will convert both double and single quotes. |
3 |
ENT_NOQUOTES Will leave both double and single quotes unconverted. |
4 |
ENT_IGNORE discard invalid code unit sequences instead of returning an empty string. |
5 |
ENT_SUBSTITUTE Replace invalid code unit sequences with a Unicode Replacement Character U+FFFD (UTF-8) or � |
6 |
ENT_DISALLOWED Replace invalid code points for the given document type with a Unicode Replacement Character U+FFFD (UTF-8) or � (otherwise) instead of leaving them as is. This may be useful. |
7 |
ENT_HTML401 Handle code as HTML 4.01. |
8 |
ENT_XML1 Handle code as XML 1. |
9 |
ENT_XHTML Handle code as XHTML. |
10 |
ENT_HTML5 Handle code as HTML 5. |
The strip_tags() Function
strip_tags() 函数从给定的字符串中删除所有 HTML 和 PHP 标记。
The strip_tags() function removes all the HTML and PHP tags from a given string.
strip_tags(string $string, array|string|null $allowed_tags = null): string当您希望确保用户输入不包含任何潜在的恶意标记时,这个函数非常有用。
This function is very useful when you want ensure that the user input doesn’t contain any potentially malicious tags.
allowed_tags 参数是一个可选的第二个参数,用于指定不应删除的标记。这些标记可以以字符串的形式给出,也可以作为数组给出。
The allowed_tags parameter is an optional second parameter to specify tags which should not be stripped. These are either given as string, or as an array.
Example
请看以下示例:
Take a look at the following example −
<?php
$text = '<p>Hello World</p><!-- Comment -->
<a href="/test.html">Click Here</a>';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>
echo strip_tags($text, '<p><a>');
?>它将生成以下 output −
It will produce the following output −
Hello World
Click Here
Hello World
Click HereThe addslashes() Function
addslashes() 函数向字符串添加反斜杠。
The addslashes() function adds backslashes to a string.
addslashes(string $string): string此函数返回一个字符串,在需要转义的字符前面添加反斜杠。这些字符为 −
The function returns a string with backslashes added before characters that need to be escaped. These characters are −
-
Single Quote (')
-
Double Quote (")
-
Backslash (\)
-
NUL (The NUL Byte)
在向数据库中存储用户输入且希望防止 SQL 注入攻击时,请使用此函数。
Use this function when you are storing user input in a database and want to prevent SQL injection attacks.
The filter_var() Function
借助特定的过滤器标记,可以使用 filter_var() 函数来净化用户输入。
With the help of a specific filter flag, you can use filter_var() function to sanitize user input.
filter_var(mixed $value, int $filter =
FILTER_DEFAULT, array|int $options = 0): mixed$value 参数是要净化其值的一个变量。$filter 参数是任何预定义的过滤器常量。
The $value parameter is a variable whose value needs to be sanitized. The $filter parameter is any of the predefined filter constants.
Sr.No |
ID & Description |
1 |
FILTER_SANITIZE_EMAIL Remove all characters except letters, digits and !#$%&'*+-=?^_`{ |
}~@.[]. |
2 |
FILTER_SANITIZE_ENCODED URL-encode string, optionally strip or encode special characters. |
3 |
FILTER_SANITIZE_ADD_SLASHES Apply addslashes(). (Available as of PHP 7.3.0). |
4 |
FILTER_SANITIZE_NUMBER_FLOAT Remove all characters except digits, +- and optionally .,eE. |
5 |
FILTER_SANITIZE_NUMBER_INT Remove all characters except digits, plus and minus sign. |
6 |
FILTER_SANITIZE_SPECIAL_CHARS HTML-encode '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. |
7 |
FILTER_SANITIZE_FULL_SPECIAL_CHARS Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ ENCODE_QUOTES. |
8 |
FILTER_SANITIZE_URL Remove all characters except letters, digits and $-_.+!*'(),{} |
\\^~[]`<>#%";/?:@&=. |
9 |
FILTER_UNSAFE_RAW |