PHP的新input_filter不读取$ _GET或$ _POST数组 [英] PHP's new input_filter does not read $_GET or $_POST arrays
问题描述
在PHP 5.2中添加了一个很好的安全功能,称为"input_filter",因此不用说了:
In PHP 5.2 there was a nice security function added called "input_filter", so instead of saying:
$name = $_GET['name'];
您现在可以说:
$name = filter_input (INPUT_GET, 'name', FILTER_SANITIZE_STRING);
它会自动清理您的字符串,还有:
and it automatically sanitizes your string, there is also:
-
FILTER_SANITIZE_ENCODED
-
FILTER_SANITIZE_NUMBER_INT
-
FILTER_SANITIZE_EMAIL
-
FILTER_SANITIZE_URL
FILTER_SANITIZE_ENCODED
FILTER_SANITIZE_NUMBER_INT
FILTER_SANITIZE_EMAIL
FILTER_SANITIZE_URL
等 因此,这是使用起来非常方便的安全功能,我想完全切换到该功能.
etc. so this is a very convenient security feature to use and I want to switch over to it completely.
问题是... 我经常在处理$ _GET和$ _POST数组之前对其进行操作,如下所示:
The problem is... I often manipulate the $_GET and $_POST arrays before processing them, like this:
$ _ GET ['name'] ='(默认名称)';
$_GET['name'] = '(default name)';
但是似乎filter_input无法访问$ _GET中的更改,因为它读取的是int(?)类型的"INPUT_GET".如果我可以让filter_input改为读取$ _GET,则很好,但是:
but it seems that filter_input does not have access to the changes in $_GET since it reads "INPUT_GET" which is of type int (?). It would be nice if I could get filter_input to read $_GET instead but:
$name = filter_input ( $_GET, 'name', FILTER_SANITIZE_STRING );
给我错误:
Warning: filter_input() expects parameter 1 to be long, array given.
谁能想到一种我可以的方式:
Can anyone think of a way that I could:
- 操纵
INPUT_GET
的来源(无论它在哪里),以便我可以在filter_input读取它们之前更改其值 - 获取filter_input以读取
$_GET
- manipulate the source of
INPUT_GET
(whereever it is) so that I can change its values before filter_input can read them - get filter_input to read
$_GET
ADDENDUM:
富人问道:为什么无论如何都要更改数组,请确保您希望它们成为输入,而不是您以编程方式插入的内容."
Rich asked: "Why are you changing the arrays anyway, surely you want them to be an input, rather than something you've programmatically inserted."
这是预处理传入变量的非常方便的地方,例如为了:
It is just a very convenient place to preprocess variables coming in, e.g. in order to:
- 设置默认值(如果$ _GET ['state'] =''则$ _GET ['state'] ='AL')
- 进行手动处理(删除所有空格等)
- 安全性(其中一些现在将由filter_input完成)
然后我知道我收到传入变量时,它是安全有效的.当然,我可以将$ _GET数组复制到另一个数组并处理THAT数组,但这只是不必要的步骤,因为我$ _GET已经是一个有效的数组,因此使用这些已经存在的系统数组来进行处理是很有意义的.
Then I know by the time I get the incoming variable, it is secure and valid. Of course I could copy the $_GET array to another array and process THAT array but that is just an unnecessary step since I $_GET is already a functioning array so it makes sense to do it with these system arrays that already exist.
推荐答案
您可以使用 filter_var_array
$name = filter_var ( $_GET['name'], FILTER_SANITIZE_STRING );
这篇关于PHP的新input_filter不读取$ _GET或$ _POST数组的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!