PHP:什么会导致FILTER_UNSAFE_RAW返回FALSE?
在长时间缺席之后,我回到了一个剧本中,我陷入了一个突然失败的净化过程中。PHP:什么会导致FILTER_UNSAFE_RAW返回FALSE?,php,sanitization,filter-var,input-sanitization,Php,Sanitization,Filter Var,Input Sanitization,在长时间缺席之后,我回到了一个剧本中,我陷入了一个突然失败的净化过程中。 我在一个过滤器中发现问题,该过滤器意外返回false 下面是一个复制我的意外结果的示例: $test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ]; var_export( filter_var( $test, FILTER_UNSAFE_RAW )); // false 我认为FILTER\u UNSAFE\u RAW应该只返回未更改的输入(在本例中为数组)
我在一个过滤器中发现问题,该过滤器意外返回
false
下面是一个复制我的意外结果的示例:
$test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ];
var_export( filter_var( $test, FILTER_UNSAFE_RAW )); // false
我认为FILTER\u UNSAFE\u RAW
应该只返回未更改的输入(在本例中为数组)。我的理解/方法错了吗 注意:
我的代码必须严格独立,并且尽可能轻量级,因此我没有加载第三方库/类,而是在需要的地方编写简单的帮助函数 示例:
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => FILTER_UNSAFE_RAW,
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input )
{
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] )
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' ))
{
...
如您所见,这种方法要求bar
通过消毒,即使不需要消毒操作
我是否误解了
FILTER\u safe\u RAW
?它返回false,因为FILTER\u var()
无法验证数组。而filter\u var\u array()
就像对每个主题数组的值运行filter\u var()
。您可以尝试在sanitize
数组中使用数组作为bar
的值,将FILTER\u UNSAFE\u RAW
作为筛选器,将FILTER\u REQUIRE\u array
作为标志
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
另一件需要注意的事情是,由于您只使用FILTER\u UNSAFE\u RAW
,而不指定标志,因此它将不起任何作用。所以不消毒也是一样的。虽然它不会对您的案例起作用,因为它不会传递给验证。缺少筛选标志
看起来您没有为过滤器\u var\u数组的清理部分添加正确的标志
无论何时处理数组,都必须包含标志FILTER\u REQUIRE\u array
因此,如果没有该标志,您得到的响应为false
注意:过滤不安全的原始字符
只是选择性地对特殊字符进行条带或编码。这也是默认的过滤器
示例
$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );
$san['bar'] = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
];
print_r(filter_var_array( $test, $san ));
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input ) {
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] );
print_r($sanitized);
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' )) {}
return $validated;
}
输出
Array
(
[bar] => Array
(
[0] => apple
[1] => bananna
[2] => orange
[3] => lime
[4] => grape
)
)
编辑的工作代码
$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );
$san['bar'] = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
];
print_r(filter_var_array( $test, $san ));
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input ) {
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] );
print_r($sanitized);
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' )) {}
return $validated;
}