N久没更新了,随手整理了一些 FIEO的相关用例。
Filter Input/Escape Output (FIEO) 现在成为WEB应用中安全方面最基本的技术。
php5.2.x 中引入了filter功能,收集一些用例
- filter_has_var — Checks if variable of specified type exists
- filter_id — Returns the filter ID belonging to a named filter
- filter_input_array — Gets multiple variables from outside PHP and optionally filters them
- filter_input — Gets variable from outside PHP and optionally filters it
- filter_list — Returns a list of all supported filters
- filter_var_array — Gets multiple variables and optionally filters them
- filter_var — Filters a variable with a specified filter
1:
<?php
$url = 'http://...';
var_dump(filter_var($url, FILTER_VALIDATE_URL));
?>
Will display: string(10) "http://..."
None of the flags help either, so you're better off with regular expressions to validate a url.2:
<?php
$image = basename(filter_input(INPUT_GET, 'src', FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW));
// further checks
?>
/script.php?src[0]=foobar will cause a warning. :-(
Hence my recommendation:
<?php
$image = basename(filter_input(INPUT_GET, 'src', FILTER_UNSAFE_RAW, FILTER_REQUIRE_SCALAR | FILTER_FLAG_STRIP_LOW));
// further checks
?>3:
<?php
$value = 'car';
$result = filter_var($value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
?>
In the above $result will equal NULL. Without the extra flag it would equal FALSE, which isn't usually a desired result for this specific filter.4:
filter_input_array() is useless for running multiple filters on the same key.
No way to chain or negate filters.
<?php
/* Merciful comment! */
function FILTER_NEGATE_HACK($_){ return (bool)!$_; }
function client_is_private_ipv4(){
return (filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) &&
FILTER_NEGATE_HACK(filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE));
}
if (! client_is_private_ipv4())
exit('This application is restricted to local network users');
?>5:
Also notice that filter functions are using only the original variable values passed to the script even if you change the value in super global variable ($_GET, $_POST, ...) later in the script.
<?php
echo filter_input(INPUT_GET, 'var'); // print 'something'
echo $_GET['var']; // print 'something'
$_GET['var'] = 'changed';
echo filter_input(INPUT_GET, 'var'); // print 'something'
echo $_GET['var']; // print 'changed'
?>
In fact, external data are duplicated in SAPI before the script is processed and filter functions don't use super globals anymore (as explained in Filter tutorial bellow, section 'How does it work?').6:
Just to note that "server and env support may not work in all sapi, for filter 0.11.0 or php 5.2.0" as mentioned in Filter tutorial bellow.
The workaround is obvious:
Instead of
<?php
$var = filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_DEFAULT);
?>
use
<?php
$var = filter_var(isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : NULL, FILTER_DEFAULT);
?>