示例 #1 清理和验证电子邮件地址
<?php
$a = '[email protected]';
$b = 'bogus - at - example dot org';
$c = '([email protected])';
$sanitized_a = filter_var($a, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_a, FILTER_VALIDATE_EMAIL)) {
echo "This (a) sanitized email address is considered valid.\n";
}
$sanitized_b = filter_var($b, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_b, FILTER_VALIDATE_EMAIL)) {
echo "This sanitized email address is considered valid.";
} else {
echo "This (b) sanitized email address is considered invalid.\n";
}
$sanitized_c = filter_var($c, FILTER_SANITIZE_EMAIL);
if (filter_var($sanitized_c, FILTER_VALIDATE_EMAIL)) {
echo "This (c) sanitized email address is considered valid.\n";
echo "Before: $c\n";
echo "After: $sanitized_c\n";
}
?>以上示例将输出
This (a) sanitized email address is considered valid. This (b) sanitized email address is considered invalid. This (c) sanitized email address is considered valid. Before: ([email protected]) After: [email protected]
示例 #2 配置默认过滤器
filter.default = full_special_chars
filter.default_flags = 0如果我们省略使用过滤器,则 PHP 默认情况下会使用过滤器 FILTER_DEFAULT,它将使用默认过滤器。 现在问题是默认过滤器是什么。 默认过滤器是 unsafe_raw,它将允许不安全原始数据传递到服务器。 此值在 php.ini 文件中可用。 建议开发人员在 php.ini 文件中更新此值,如下所示
filter.default = full_special_chars
filter.default_flags = 0
而在 php.ini 文件中,上面的值默认情况下设置为以下内容
;filter.default = unsafe_raw
;filter.default_flags =
上面的分号是注释掉的代码行,因此您需要删除这些分号以应用所做的更改。 如果我们不做以上事情,会发生什么? 在这种情况下,PHP 将使用默认过滤器,它将肯定是 FILTER_UNSAFE_RAW,您可以看到不安全的原始数据可以传递到服务器,这将使黑客更容易入侵。