FILTER_SANITIZE_STRING是做什么的? [英] What does FILTER_SANITIZE_STRING do?

问题描述

大约有100万个问答，解释了FILTER_FLAG_STRIP_LOW之类的选项，但是FILTER_SANITIZE_STRING在没有任何选择的情况下会自己做什么?它只是过滤标签吗?

There's like a million Q&A that explain the options like FILTER_FLAG_STRIP_LOW, but what does FILTER_SANITIZE_STRING do on its own, without any options? Does it just filter tags?

推荐答案

根据 PHP手册:

带状标签，可以选择去除或编码特殊字符.

Strip tags, optionally strip or encode special characters.

根据 W3学校:

The FILTER_SANITIZE_STRING过滤器去除或编码不需要的字符.

The FILTER_SANITIZE_STRING filter strips or encodes unwanted characters.

此过滤器将删除可能对您的应用程序有害的数据.它用于剥离标签并删除或编码不需要的字符.

This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters.

现在，这并不能告诉我们太多.让我们来看一些PHP源代码.

Now, that doesn't tell us much. Let's go see some PHP sources.

ext/filter/filter.c:

static const filter_list_entry filter_list[] = {                                       
    /*...*/
    { "string",          FILTER_SANITIZE_STRING,        php_filter_string          },  
    { "stripped",        FILTER_SANITIZE_STRING,        php_filter_string          },  
    { "encoded",         FILTER_SANITIZE_ENCODED,       php_filter_encoded         },  
    /*...*/

现在，让我们来看一下如何定义php_filter_string.
ext/filter/sanitizing_filters.c:

Now, let's go see how php_filter_string is defined.
ext/filter/sanitizing_filters.c:

/* {{{ php_filter_string */
void php_filter_string(PHP_INPUT_FILTER_PARAM_DECL)
{
    size_t new_len;
    unsigned char enc[256] = {0};

    /* strip high/strip low ( see flags )*/
    php_filter_strip(value, flags);

    if (!(flags & FILTER_FLAG_NO_ENCODE_QUOTES)) {
        enc['\''] = enc['"'] = 1;
    }
    if (flags & FILTER_FLAG_ENCODE_AMP) {
        enc['&'] = 1;
    }
    if (flags & FILTER_FLAG_ENCODE_LOW) {
        memset(enc, 1, 32);
    }
    if (flags & FILTER_FLAG_ENCODE_HIGH) {
        memset(enc + 127, 1, sizeof(enc) - 127);
    }

    php_filter_encode_html(value, enc);

    /* strip tags, implicitly also removes \0 chars */
    new_len = php_strip_tags_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), NULL, NULL, 0, 1);
    Z_STRLEN_P(value) = new_len;

    if (new_len == 0) {
        zval_dtor(value);
        if (flags & FILTER_FLAG_EMPTY_STRING_NULL) {
            ZVAL_NULL(value);
        } else {
            ZVAL_EMPTY_STRING(value);
        }
        return;
    }
}

我将跳过注释标记，因为就像您所说的那样，它们已经在Internet上得到了解释，而将重点放在总是执行的操作上，而记录的内容还不够完善.

I'll skip commenting flags since they're already explained on the Internet, like you said, and focus on what is always performed instead, which is not so well documented.

第一-php_filter_strip.它并没有做太多事情，只是将传递给函数的标志带到相应的位置并对其进行相应的处理.它会做有据可查的事情.

First - php_filter_strip. It doesn't do much, just takes the flags you pass to the function and processes them accordingly. It does the well-documented stuff.

然后，我们构建某种地图并调用php_filter_encode_html.更有意思:它将"，'，&和chars之类的ASCII码低于32且高于127的字符转换为HTML实体，因此字符串中的&变为&.再次，它为此使用标志.

Then we construct some kind of map and call php_filter_encode_html. It's more interesting: it converts stuff like ", ', & and chars with their ASCII codes lower than 32 and higher than 127 to HTML entities, so & in your string becomes &. Again, it uses flags for this.

然后我们调用php_strip_tags_ex，它只是剥离HTML，XML和PHP标记(根据/ext/standard/string.c中的定义)并删除NULL字节，如注释中所述.

Then we get call to php_strip_tags_ex, which just strips HTML, XML and PHP tags (according to its definition in /ext/standard/string.c) and removes NULL bytes, like the comment says.

其后的代码用于内部字符串管理，实际上并没有进行任何清理.好吧，不完全是，如果清理过的字符串为空，传递未记录的标志FILTER_FLAG_EMPTY_STRING_NULL会返回NULL，而不是仅返回一个空字符串，但这并不是那么有用.一个例子:

The code that follows it is used for internal string management and doesn't really do any sanitization. Well, not exactly - passing undocumented flag FILTER_FLAG_EMPTY_STRING_NULL will return NULL if the sanitized string is empty, instead of returning just an empty string, but it's not really that much useful. An example:

var_dump(filter_var("yo", FILTER_SANITIZE_STRING, FILTER_FLAG_EMPTY_STRING_NULL));
var_dump(filter_var("\0", FILTER_SANITIZE_STRING, FILTER_FLAG_EMPTY_STRING_NULL));
var_dump(filter_var("yo", FILTER_SANITIZE_STRING));
var_dump(filter_var("\0", FILTER_SANITIZE_STRING));

→

string(2) "yo"
NULL
string(2) "yo"
string(0) ""

没有更多的事情要做，因此手册是相当正确的-总结一下:

There isn't much more going on, so the manual was fairly correct - to sum it up:

• 始终:剥离HTML，XML和PHP标记，剥离NULL字节.
• FILTER_FLAG_NO_ENCODE_QUOTES-此标志不对引号进行编码.
• FILTER_FLAG_STRIP_LOW-去除ASCII值低于32的字符.
• FILTER_FLAG_STRIP_HIGH-去除ASCII值大于127的字符.
• FILTER_FLAG_ENCODE_LOW-编码ASCII值小于32的字符.
• FILTER_FLAG_ENCODE_HIGH-编码ASCII值大于127的字符.
• FILTER_FLAG_ENCODE_AMP-对& &字符(不是&).
• FILTER_FLAG_EMPTY_STRING_NULL-返回NULL而不是空字符串.

• Always: strip HTML, XML and PHP tags, strip NULL bytes.
• FILTER_FLAG_NO_ENCODE_QUOTES - This flag does not encode quotes.
• FILTER_FLAG_STRIP_LOW - Strip characters with ASCII value below 32.
• FILTER_FLAG_STRIP_HIGH - Strip characters with ASCII value above 127.
• FILTER_FLAG_ENCODE_LOW - Encode characters with ASCII value below 32.
• FILTER_FLAG_ENCODE_HIGH - Encode characters with ASCII value above 127.
• FILTER_FLAG_ENCODE_AMP - Encode the & character to & (not &).
• FILTER_FLAG_EMPTY_STRING_NULL - Return NULL instead of empty strings.

这篇关于FILTER_SANITIZE_STRING是做什么的?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！