PHP文獻(xiàn)譯文[原創(chuàng)].docx

Translated By Sissi ZengInput Validation Using Filter FunctionsId like to start off this article by thanking you for making it even this far. Im fully aware that “Input Validation Using Filter Functions” isnt exactly the sexiest article title in the world!Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly.In this article Ill explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var(), discuss some potential pitfalls, and finish with a nice, juicy call to action. Sound good? Lets go!l Why Input Validation is ImportantInput validation is one of the most important things you can do to ensure code security because input is often times the one thing about your application you cannot directly control. Because you cannot control it, you cannot trust it.Unfortunately, as programmers we often write things thinking only of how we want them to work. We dont consider how someone else might want to make them work either out of curiosity, ignorance, or malice.I am not going to go into too much detail about the trouble you can get into if you do not validate user input; theres a really good article on this very site called PHP Security: Cross-Site Scripting Attacks if you want to read up on it. But I will say that validating your input is the first step to ensuring that the code you have written will be executed as intended.Maybe you are coming to PHP from another language and you might be thinking, “this was never an issue before so why should I care?” The reason validation is an issue is because PHP is loosely typed. This makes PHP great for some things, but it can make things like data validation a little bit trickier because you can pretty much pass anything to anything.l Why Using Built-in Methods is ImportantIn order to try and make validation a little bit easier, from PHP 5.2.0 onward we can now use the filter_input() and filter_var() functions. Ill talk about them in more detail soon, but first I want to talk about why we should be using PHP provided functionality instead of relying our own methods or third-party tools.When you roll your own validation methods, you generally fall into the same trap that you can fall into when designing other functionality: you think about the edge cases you want to think about, not necessarily all of the different vectors that could be used to disguise certain input. Another issue is, if you are anything like me, the first 10 minutes of any code review dealing with hand-rolled validation code is spent tutting because the programmer didnt do exactly what you would have done. This can lead to programmers spending more time learning the codebase and reading internal documentation that could instead be spent coding.Some people dont roll their own, but instead opt for a third-party solution. There are some good ones out there, and in the past I have used OWASP ESAPI for some extra validation. These are better than perhaps the hand-rolled solutions because more eyes have looked over them, but then you have the issue of introducing third-party code into your project. Again, this increases time spent learning a codebase and reading additional documentation instead of coding.For these reasons, using native functions are better; moreover, because such functions are baked into the language, it means we have one place to go for all PHP documentation. New developers will have a greater chance of knowing what the code is and how best to use it. It will be easier to support as a result of this.Hopefully by now I have you convinced that validation is important, and that it would be a good idea to use PHP functions to help you achieve your validation needs. If you are not convinced, leave a comment and lets discuss it.l Some ExamplesThe filter_input() function was introduced in PHP 5.2.0 and allows you to get an external variable by name and filter it. This is incredibly useful when dealing with $_GET and $_POST data.Lets take as an example a simple page that reads a value passed in from the URL and handles it. We know this value should be an integer between 15 and 20. One way of doing would be something like:01= 15 & $value = 20) 09 / run my code1011else 12 / handle the issue13This is a really basic example and already we are writing more lines that I would like to see.First, because we cant be sure $_GET is set, the code performs an appropriate check so that the script doesnt fall over.Next is the fact that $value is now a “dirty” variable because it has been directly assigned from a $_GET value. We would need to take care not to use $value anywhere else in the code in case we break anything.Then there is the issue that 16.0 is valid because is_numeric() okays it.And finally, we have an issue with the fact that the if statement is a bit of a mouthful to take in and is an extra bit of logic to work through when you are tracing through the code.Compare the above example now to this:1 array(min_range = 15, max_range = 20);4if ($value) 5 / run my code67else 8 / handle the issue9Doesnt that make you feel warm and fuzzy?filter_input() handles the $_GET value not being set, so you dont have to stress over whether the script is receiving the correct information or not.You also dont have to worry about $value being dirty because it has been validated before it has been assigned.Note now that 16.0 is no longer valid.And finally, our logic is no longer complicated. Its just a quick check for a truthy value (filter_input() will return false if the validation fails and null if $_GETvalue wasnt set).Obviously in a real world setting you could extract the array out into a variable stored in a configuration file somewhere so things can get changed without even needing to go into business logic. Gorgeous!Now you might be thinking that this might be useful for simple scripts that grab a couple of $_GET or $_POST variables, but what about for use inside of functions or classes? Luckily we have filter_var() for that.The filter_var() function was introduced at the same time as filter_input() and does much the same thing. 1?php2/ This is a sample function, do not use this to actually email,3/ that would be silly.4function emailUser($email) 5 mail($email, Here is my email, Some Content);6The danger here is that is there nothing to stop the mail() function from attempting to send an email to literally any value that could be stored in $email. This could lead to emails not getting sent, or something getting in that can potentially use the function for malicious intent in a worst case scenario.I have seen people do a check on the result of mail(), which is fine to see if the function completed successfully, but by the time a value is returned the damage is done.Something like this is much more sane:01?php02/ This is a sample function, do not use this to actually email,03/ that would be silly.04function emailUser($email) 05 $email = filter_var($email, FILTER_VALIDATE_EMAIL);06 if ($email != false) 07 mail($email, Here is my email, Some Content);08 09 else 10 / handle the issue invalid email address11 12The problem with a lot of examples, the above included, is that they are basic. You might be thinking that filter_var() or filter_input() cant be used for anything other than basic checking. The fine folks who introduced these functions considered that and allow you to pass in a filter to these functions called FILTER_CALLBACK.FILTER_CALLBACK allows you to pass in a function you have created that will accept as the input the variable being filtered this is where you can start to have a lot of fun because you can start applying your own business logic to your filtering.l Some Potential PitfallsThese functions are pretty great, and they allow you to do some really powerful filtering, which as we have discussed can help improve the security and reliability of your code. There are some potential drawbacks however and I would feel that I was remiss if I didnt point them out.The main pitfall is that the functions are only as good as the filter you apply to it. Take the last example using email validation how FILTER_VALIDATE_EMAIL handles email addresses has changed between 5.2.14 and 5.3.3, and even assuming all your applications run on the same version of PHP there are email addresses that are technically valid that you might not expect. Be sure you know about the filters you are using.The second pitfall is that people think that if they put in some filters then their code is secure. Filtering your variables goes some way to helping, but it doesnt make your code 100% safe from abuse. I would love to talk more about this, but that is out of the scope of this article and my word count is already pretty high!l ConclusionHopefully you have found this introduction to input validation in PHP useful. And now, time for a call to action!I want you to take one function in your code, just one, and see what happens to it when you pass in different data types and different values. Then I want you to apply some of the filtering methods discussed here and see if there is a difference in how your code performs. I would love to know how you got on in the comments.使用過濾功能的輸入驗證在開始這篇文章之前，我想感謝你，甚至只是瀏覽了一下標(biāo)題。因為我充分認(rèn)識到“使用過濾功能的輸入驗證”并不是在世界上最性感的文章標(biāo)題！PHP的過濾功能可能不那么吸引人，但如果你學(xué)會了如何正確地使用它們，它們可以改善系統(tǒng)的穩(wěn)定性，安全性，甚至你的代碼的可維護(hù)性。 在這篇文章中，我將解釋為什么輸入驗證是非常重要的，為什么使用PHP的內(nèi)置函數(shù)執(zhí)行輸入驗證是那么重要。然后舉出一些例子（即使用filter_input（）和filter_var（）這兩個函數(shù)），討論一些潛在的隱患，最后達(dá)到一個不錯的，生動的行動呼吁。聽起來不錯？馬上行動吧！l 為什么要輸入驗證是非常重要為了確保代碼的安全性，你可以做的最重要的事情之一就是進(jìn)行輸入驗證，因為輸入行為對于你的應(yīng)用程序來說是一件事經(jīng)常發(fā)生的事，但你不能直接控制。因為你無法控制它，所以你也不能相信它。不幸的是，作為程序員，我們寫的程序往往考慮的僅僅是我們希望他們怎么工作。我們沒有去考慮別人可能會想如何按他們的想法使程序工作 - 無論是出于好奇，無知或惡意。我現(xiàn)在不打算深入太多因為沒有驗證用戶輸入而遇到的問題細(xì)節(jié)。如果你想讀的話，在一個叫“PHP安全性”的網(wǎng)站，有一非常好很好的文章：跨站腳本攻擊。但我會說，驗證你的輸入是確保你所編寫的代碼將如預(yù)期般執(zhí)行的第一步。也許你是從另一種語言中來到PHP的，你可能會想，“這是一個以前從來沒有過問題，我為什么要關(guān)心？”驗證，這是一個問題的原因，是因為PHP是弱數(shù)據(jù)類型。這使得PHP在一些事情上功能很強大，但它可以使像數(shù)據(jù)驗證的事情有點麻煩，因為你幾乎可以將任何數(shù)據(jù)傳給任何一種變量。l 為什么使用內(nèi)置方法很重要為了嘗試使驗證更容易一點點，從PHP 5.2.0起，我們現(xiàn)在可以使用filter_input（）和filter_var（）這兩個函數(shù)。我會盡快地、更細(xì)地講解這兩個函數(shù)，但首先我想談?wù)勎覀優(yōu)槭裁匆褂肞HP提供的功能，而不是依靠我們自己的方法或第三方的工具。你使用你自己的驗證方法時，通常會落入你在設(shè)計其他功能的時候也會遇到的陷阱。你認(rèn)為邊界情況你需要思考,而不必去考慮所有不同的向量,但正是這些掩飾了某些輸入。另一個問題是，如果你是像我這樣的事，任何代碼審查的前10分鐘花在處理手卷驗證碼。因為程序員不會按你會做的方式去做。這可能導(dǎo)致程序員花費更多的時間學(xué)習(xí)的代碼庫和閱讀可代替用于編碼的內(nèi)部文件。有些人不使用自己的驗證方法，而是選擇一個第三方的解決方案，其中也有一些好的。在過去，我也用OWASP的ESAPI來做一些額外的驗證。這些比也許手卷的解決方案更好，因為更多的眼睛都在盯著他們以防出錯，但你的項目也因此多了由引入第三方的代碼而帶來的問題。再次，這增加了時間花在學(xué)習(xí)代碼庫和閱讀其他文檔，而不是編碼。由于這些原因，使用本機的功能會更好;此外，由于這些功能是整合到語言中的，這意味著我們得有一個地方去找所有的PHP文檔。新的開發(fā)者將有一個更大的機會，知道代碼是什么，以及如何最好地使用它。作為這一結(jié)果，它更容易獲得支持。 希望現(xiàn)在，我已經(jīng)讓你相信，驗證是非常重要的，使用PHP函數(shù)來幫助你實現(xiàn)你的驗證需求將會是一個很好的主意。如果你不相信，發(fā)表評論，讓我們來討論它。l 一些例子filter_input（）函數(shù)在PHP5.2.0中引入，并允許你得到外部變量的名字和過濾。這在 $_GET和$_POST數(shù)據(jù)處理時，是非常有用的。讓我們看看一個簡單的頁面，以它作為一個例子。讀取頁面的一個值并把它傳遞到URL，然后處理它。我們知道，這個值應(yīng)該是15和20之間的整數(shù)。 這樣做的方法之一，可以是這樣的：01= 15 & $value = 20) 09 / run my code1011else 12 / handle the issue13這是一個非?；镜睦樱覀円呀?jīng)寫更多的行，這是我所愿意看到的。首先，因為我們不能確定$ _GET的已被賦值，代碼執(zhí)行適當(dāng)?shù)臋z查，使腳本不會出錯。其次是$value現(xiàn)在是一個“臟”的變量，因為它已經(jīng)直接賦予了從$_GET變量來的值。我們需要照顧，不要在代碼中使用$value，以防我們破壞其他什么東西。再有一個問題就是，16.0 被驗證是有效的，因為它通過is_numeric（）函數(shù)返回的是有效的值。最后,我們有一個問題,if語句用起來確實有點拗口而且在跟蹤代碼時發(fā)現(xiàn)還有一些額外的邏輯是必須在做?，F(xiàn)在和上面的例子進(jìn)行比較：1 array(min_range = 15, max_range = 20);4if ($value) 5 / run my code67else 8 / handle the issue9這難道不會讓你感覺溫暖和模糊？filter_input（）處理沒有被設(shè)置的$_GET值，所以你不必強調(diào)腳本是否接收到正確的信息。你也不必?fù)?dān)心$value的臟數(shù)據(jù)，因為它在被賦值之前，已經(jīng)被驗證過了。注意現(xiàn)在的16.0這個值已不再合法有效。最后，我們的邏輯不再復(fù)雜。這只是為truthy的值進(jìn)行一個快速檢查（filter_input（）如果驗證失敗，將返回false；如果沒有設(shè)置$_GET“value”，將會返回null）。顯然，在一個真實的世界里，設(shè)定你可以提取數(shù)組存儲在配置文件中的變量到某個地方，這樣值可以輕易地改變，甚至無需進(jìn)入業(yè)務(wù)邏輯。華麗吧！現(xiàn)在你可能會想，這可能是有用的僅僅是在獲取$_GET或$_POST這對變量值的簡單腳本，但在內(nèi)部的函數(shù)或類的使用呢？幸運的是，我們有filter_var（）。filter_var（）函數(shù)同filter_input（）函數(shù)一起被被引入語言中，做同樣的事情。1?php2/ This is a sample function, do not