PHP如何以正确的方式过滤所有$ _POST变量 [英] PHP How to filter 'in a correct way' All $_POST variables
问题描述
使用Netbeans,每当我尝试访问$ _POST或$ _GET中的变量时,建议使用诸如filter_input(INPUT_POST,'id')
之类的东西作为安全性"(我不认为它比使用filter_input更安全默认的NON过滤器,但无论如何..).
Using Netbeans, whenever i try to access a variable in $_POST or $_GET, i'm adviced to use something like: filter_input(INPUT_POST,'id')
, for 'safety' (i don't think it's any safer than using filter_input with the default NON filter, but anyways..).
这让我思考了这篇文章的答案:如何在帖子(PHP)中获取所有变量
This got me thinking about the answer to this post: How to grab all variables in a post (PHP)
您有:
foreach ($_POST as $key => $value) {
//do something
echo $key . ' has the value of ' . $value;
}
filter_input()仅适用于$ _POST内部的单个变量
filter_input() only works for individual variables inside $_POST
我的问题是,如何通过过滤重写"$_POST as $key
"以适合NetBeans告诉我的假定访问标准?
My question is, How can i re-write "$_POST as $key
" with filtering to fit this supposed access standard that NetBeans is telling me about?.
推荐答案
您可以使用
You can filter whole $_POST
using filter_input_array
$safePost = filter_input_array(INPUT_POST);
使用第二个参数可以更改过滤器
Using second parameter you can change filter
$safePost = filter_input_array(INPUT_POST, FILTER_SANITIZE_STRING);
您还可以定义按属性过滤器
You can also define per-property filters
$safePost = filter_input_array(INPUT_POST, [
"id" => FILTER_VALIDATE_INT,
"name" => FILTER_SANITIZE_STRING,
"email" => FILTER_SANITIZE_EMAIL
]);
如果我对输入一无所知怎么办?
What if I know nothing about input?
嗯,您总是知道一些事情,知道您期望得到什么. 如果用户提供了无效的输入,您应该对此做出反应.
Well, you always know something, you know what you expect to get. And if user provides invalid input you should react to that.
如果您期望字段id
中存在整数,并且用户向您发送了tomato
,那么您应该返回错误并通知用户,他发送的请求出了什么问题.
If you expect integer in field id
and user sends you tomato
, then you should reply with error informing user what is wrong with request he sent.
这篇关于PHP如何以正确的方式过滤所有$ _POST变量的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!