Filter input
Filtering input means escaping or deleting characters that are not safe from external data.
External input can be anything: form input data such as $_GET and $_POST, some values in $_SERVER superglobal variables, and HTTP request bodies obtained via fopen('php://input', 'r') . Remember that the definition of external input is not limited to the data submitted by the user through the form. Uploaded and downloaded documents, session values, cookie data, and data from third-party web services are all external inputs.
Be sure to filter the incoming data before it reaches the storage tier (MySQL or Redis). This is the first line of defense.
If someone enters the following in the comment box and submits:
<script>alert("Goocode");</script>Obviously, the malicious tag is added here. If we don't add any processing, the data will go directly into the storage layer, and then the user will output a pop-up warning box when browsing the webpage. So this is why we don't believe in any external input.
So how do you use PHP to process the filtered input data? Here are my suggestions:
1. For content that needs to be output to the page, use the strip_tags() function to remove the HTML tags or use the htmlentities() or htmlspecialchars() functions to escape the special characters to get the respective HTML entities to avoid XSS attacks. For example, filter the script script above:
<?php
$input = '<script>alert("Goocode");</script>';
echo htmlentities($input, ENT_QUOTES, 'utf-8');2. If you need to pass in an option that can be executed on the command line, be careful when calling functions such as exec(). You can use the built-in escapeshellarg() function to filter the parameters of the execution command.
3, through the input data splicing SQL query statement, must pay attention to the use of PDO preprocessing. PDO is PHP's built-in database abstraction layer that uses an interface to represent multiple databases. The PDO preprocessing statement is a tool provided by PDO to filter external data and then embed the filtered data into SQL statements to avoid SQL injection.
4. When receiving external input to load files from the file system. This can be exploited by modifying the file name to a file path. You need to filter out the characters "/", "../", null characters or other file paths to ensure that hidden, private or sensitive files are not loaded.
5, try not to use regular expression functions to filter HTML input, such as preg_replace () and preg_replace_all (), the regular expression is very complicated, accidentally dropped into the pit, the probability of error is high.
verify the data
Unlike the filter input, the verification data does not delete the information from the input data, but only confirms whether the input data meets expectations, such as whether the input data is an email mailbox, a mobile phone number, a number, and the like. This kind of data we call invalid data, we verify this invalid data and prevent it from entering the data storage layer, and promptly prompt the user to enter the information incorrectly.
PHP's filter_var() and filter_input() functions filter text and validate the format. PHP provides flags that validate Boolean values, Email, floating point numbers, integers, IP addresses, MAC addresses, regular expressions, and URL addresses. The following code is to verify that the entered mailbox is correct:
$input = '[email protected]';
$isEmail = filter_var($input, FILTER_VALIDATE_EMAIL);
if ($isEmail !== false) {
echo 'success!';
} else {
echo 'failure!';
}We need to pay special attention to the return value of the filter_var() function. If the validation is successful, it returns the value to be verified. If the validation fails, it returns false.
The verification flag attached to the PHPfilter_var() function:
FILTER_VALIDATE_BOOLEAN: Boolean value
FILTER_VALIDATE_EMAIL: Email
FILTER_VALIDATE_FLOAT: floating point number
FILTER_VALIDATE_INT: integer
FILTER_VALIDATE_IP: IP address
FILTER_VALIDATE_MAC: MAC address
FILTER_VALIDATE_REGEXP: regular expression
FILTER_VALIDATE_URL: URL address
Finally, under the clarification, hackers use tools or non-normal means to bypass our front-end verification and build dangerous data for WEB penetration. Therefore, when we develop code, especially for back-end development, security is our top priority.
