何时使用filter_input() [英] When to use filter_input()

问题描述

该问题最初是在此处的评论中提出的.. em>

This question was originally asked in a comment here.

如果您仍然需要 filter_input()在打印任何用户提供的数据之前，请重新使用参数化查询和 htmlspecialchars() ?

Is filter_input() still necessary if you’re using parameterized queries and htmlspecialchars() before you print any user-supplied data?

对我来说似乎是不必要的，但始终有人告诉我过滤器输入，转义输出".因此，除了数据库(或其他形式的存储)外，是否还需要过滤输入的数据?

It seems unnecessary to me, but I've always been told to "Filter Input, Escape Output". So, aside from a database (or another form of storage), is there any need to filter inputted data?

推荐答案

嗯，会有不同的看法.

我认为您应该始终使用它(或者通常使用filter扩展名).至少有以下三个原因:

My take is that you should always use it (or, the filter extension in general). There are at least 3 reasons for this:

1. 清除输入内容是您应始终要做的事情.由于该功能为您提供了此功能，因此实际上没有理由寻找其他方法来清理输入.由于它是扩展，因此筛选器也比目前大多数PHP解决方案都快得多，而且很可能更安全，这肯定不会造成伤害.唯一的例外是如果您需要更专业的过滤器.即使这样，您也应该使用FILTER_UNSAFE_RAW过滤器(请参阅#3)来获取值.

1. Sanitizing input is something you should always do. Since the function gives you this capability there is really no reason to find other ways of sanitizing input. Since it is an extension the filter will also be much faster and most likely safer than most PHP solutions out there, which certainly does not hurt. The only exception is if you need a more specialized filter. Even then you should grab the value using the FILTER_UNSAFE_RAW filter (see #3).

filter扩展中有很多东西.它可以节省您编写消毒和验证代码的时间.当然，它并不能涵盖所有情况，但是已经足够了，您可以将精力更多地放在特定的过滤/验证代码上.

There are a lot of goodies in the filter extension. It can save you hours from writing sanitizing and validation code. Of course, it does not cover every single case, but there is enough so that you can focus more on specific filtering/validating code.

在调试/审核代码时，使用此功能非常有用.使用该功能时，您确切地知道输入是什么.例如，如果使用FILTER_SANITIZE_NUMBER_INT过滤器，则可以确保输入将是数字-无需SQL注入，无需HTML或Javascript代码等.另一方面，如果您使用类似那么您知道应该仔细对待它，并且很容易引起安全问题.

Using the function is very good for when you are debugging/auditing your code. When the function is used you know exactly what the input will be. For example, if you use the FILTER_SANITIZE_NUMBER_INT filter then you can be sure that the input will be a number -- no SQL injections, no HTML or Javascript code, etc. If you, on the other hand, use something like FILTER_UNSAFE_RAW then you know that it should be treated carefully, and that it can easily cause security problems.

这篇关于何时使用filter_input()的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！