FILTER_SANITIZE与FILTER VALIDATE,有什么区别-以及使用哪一个? [英] FILTER_SANITIZE vs FILTER VALIDATE, whats the difference - and which to use?
问题描述
目前,我正在用PHP制作某种类似于计算器的应用程序,并以表单作为输入方法.为了确保输入安全,我正在使用filter_input()功能.作为过滤器,此功能采用两组元素之一:FILTER_SANITIZE和FILTER_VALIDATE,我应该使用哪一种来过滤来自表单的输入?
Currently I'm making sort of calculator-like app in PHP with form as method of input. To secure input i'm using filter_input() function. As filter this function take one of elements from two groups: FILTER_SANITIZE and FILTER_VALIDATE, which one should i use to filter input from form?
$number1 = trim(filter_input(INPUT_GET, 'number1', FILTER_VALIDATE_FLOAT));
或
$number1 = trim(filter_input(INPUT_GET, 'number1', FILTER_SANITIZE_FLOAT));
推荐答案
这实际上取决于您的需求或适合您的应用程序.一个会验证它,然后说是,这是(或不是)有效的浮点数",而另一个会清除它的任何不可接受的值并返回该值,如果原始输入有效或无效,则不说任何内容并非从头开始.
It depends on what you need or is suitable for your application, really. One would validate it, and say "Yes, this is (or isn't) a valid float", while the other would clean it for any non-acceptable value and return that, and not say anything if the original input was valid or not to begin with.
其他FILTER_SANITIZE_*和FILTER_VALIDATE_*常量也是如此,但是在此示例中,我们将按照原始问题中的要求查看浮点验证和卫生.
The same applies for the other FILTER_SANITIZE_* and FILTER_VALIDATE_*constants, but in this example we'll look at floating-point validation and sanitation, as asked in the original question.
让我们看看!
$float = 0.032;
$not_float = "0.03b2";
var_dump(filter_var($float, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION));
var_dump(filter_var($not_float, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION));
var_dump(filter_var($float, FILTER_VALIDATE_FLOAT));
var_dump(filter_var($not_float, FILTER_VALIDATE_FLOAT));
上述转储的回报将是
string(5) "0.032" // $float FILTER_SANITIZE_NUMBER_FLOAT
string(5) "0.032" // $not_float FILTER_SANITIZE_NUMBER_FLOAT
float(0.032) // $float FILTER_VALIDATE_FLOAT
bool(false) // $not_float FILTER_VALIDATE_FLOAT
FILTER_SANITIZE_NUMBER_FLOAT将返回经过清理的值的 string (PHP不是强类型语言,所以"0.032" == 0.032).
您还应该注意FILTER_FLAG_ALLOW_FRACTION标志,该标志将小数位数保留在适当的位置(如果没有该标志,它将返回0032).
FILTER_SANITIZE_NUMBER_FLOAT would return a string of the sanitized value (PHP isn't a strongly typed language, so "0.032" == 0.032).
You should also note the FILTER_FLAG_ALLOW_FRACTION flag, which keeps the decimal in place (without that flag it would return 0032).
如您所见,任何FILTER_VALIDATE_FLOAT如果不是有效的浮点数,都将返回布尔值false,如果有效,则返回实际的浮点值(这是真实的"值).请记住,0.00将是一个虚假"值,因此,如果您希望检查验证失败,则应该使用严格比较,以防输入为零但仍然有效.
As you can see, any FILTER_VALIDATE_FLOAT would return a boolean false if it isn't a valid float, and the actual floating value if it was valid (which is a "truthy" value). Keep in mind that 0.00 would be a "falsy" value, so if you wish to check if the validation failed, you should use strict comparison, in case the input was zero, but still valid.
if (filter_var($input, FILTER_VALIDATE_FLOAT) === false) {
// Oh noes! $input wasn't a valid float!
}
您可以在此 实时演示 中亲自查看.
You can see it for yourself in this live demo.
总结
如果要在计算中使用它,则可能要验证,并让用户知道其无效格式,但是可以清理,然后仍然使用它
To conclude
If you want to use it in calculations, you might want to validate it, and let the user know that its invalid format, but you could sanitize it, and use it anyway.
其他过滤器
这里的示例显示了FILTER_SANITIZE_FLOAT的用法,但是还有其他验证和标记过滤器.有关完整说明,请参见以下链接.
Other filters
The examle here shows the usage of FILTER_SANITIZE_FLOAT, but there are other validation and santation filters. See the below links for a full description.
- List of validation filters
- List of sanitation filters
这篇关于FILTER_SANITIZE与FILTER VALIDATE,有什么区别-以及使用哪一个?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
