PHP的新input_filter不读取$ _GET或$ _POST数组 [英] PHP's new input_filter does not read $_GET or $_POST arrays

问题描述

在PHP 5.2中添加了一个很好的安全功能，称为"input_filter"，因此不用说了:

In PHP 5.2 there was a nice security function added called "input_filter", so instead of saying:

$name = $_GET['name'];

您现在可以说:

$name = filter_input (INPUT_GET, 'name', FILTER_SANITIZE_STRING);

它会自动清理您的字符串，还有:

and it automatically sanitizes your string, there is also:

• FILTER_SANITIZE_ENCODED
• FILTER_SANITIZE_NUMBER_INT
• FILTER_SANITIZE_EMAIL
• FILTER_SANITIZE_URL

• FILTER_SANITIZE_ENCODED
• FILTER_SANITIZE_NUMBER_INT
• FILTER_SANITIZE_EMAIL
• FILTER_SANITIZE_URL

等 因此，这是使用起来非常方便的安全功能，我想完全切换到该功能.

etc. so this is a very convenient security feature to use and I want to switch over to it completely.

问题是... 我经常在处理$ _GET和$ _POST数组之前对其进行操作，如下所示:

The problem is... I often manipulate the $_GET and $_POST arrays before processing them, like this:

$ _ GET ['name'] ='(默认名称)';

$_GET['name'] = '(default name)';

但是似乎filter_input无法访问$ _GET中的更改，因为它读取的是int(?)类型的"INPUT_GET".如果我可以让filter_input改为读取$ _GET，则很好，但是:

but it seems that filter_input does not have access to the changes in $_GET since it reads "INPUT_GET" which is of type int (?). It would be nice if I could get filter_input to read $_GET instead but:

$name = filter_input ( $_GET, 'name', FILTER_SANITIZE_STRING );

给我错误:

Warning: filter_input() expects parameter 1 to be long, array given.

谁能想到一种我可以的方式:

Can anyone think of a way that I could:

• 操纵INPUT_GET的来源(无论它在哪里)，以便我可以在filter_input读取它们之前更改其值
• 获取filter_input以读取$_GET

• manipulate the source of INPUT_GET (whereever it is) so that I can change its values before filter_input can read them
• get filter_input to read $_GET

ADDENDUM:

富人问道:为什么无论如何都要更改数组，请确保您希望它们成为输入，而不是您以编程方式插入的内容."

Rich asked: "Why are you changing the arrays anyway, surely you want them to be an input, rather than something you've programmatically inserted."

这是预处理传入变量的非常方便的地方，例如为了:

It is just a very convenient place to preprocess variables coming in, e.g. in order to:

• 设置默认值(如果$ _GET ['state'] =''则$ _GET ['state'] ='AL')
• 进行手动处理(删除所有空格等)
• 安全性(其中一些现在将由filter_input完成)

然后我知道我收到传入变量时，它是安全有效的.当然，我可以将$ _GET数组复制到另一个数组并处理THAT数组，但这只是不必要的步骤，因为我$ _GET已经是一个有效的数组，因此使用这些已经存在的系统数组来进行处理是很有意义的.

Then I know by the time I get the incoming variable, it is secure and valid. Of course I could copy the $_GET array to another array and process THAT array but that is just an unnecessary step since I $_GET is already a functioning array so it makes sense to do it with these system arrays that already exist.

推荐答案

您可以使用 查看全文