PHP input verification method: use PHP built-in functions (filter_var, preg_match), use regular expressions (such as verifying password strength), use whitelists or blacklists (limit or prohibit specific input values)
Proper Practices of PHP Input Validation
Input validation is crucial in web applications because it prevents malicious or invalid input from causing damage to the application. PHP provides a variety of built-in functions and techniques to validate input efficiently.
1. Use PHP built-in functions
PHP has several built-in useful functions to filter and validate input, for example:
// 过滤用户输入中的 HTML 标记 $filtered_input = filter_var($_POST['input'], FILTER_SANITIZE_SPECIAL_CHARS); // 验证电子邮件地址 $is_email_valid = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);
2. Use regular expressions
Regular expressions are a powerful pattern that can be used to validate complex input. Here's how to verify password strength using regular expressions:
function validate_password($password) {
$regex = '/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*]).{8,}$/';
return preg_match($regex, $password);
}3. Use a whitelist or blacklist
If the input has an explicit allowed or disallowed value, Verification can be done using a whitelist or a blacklist.
Whitelist: Only allow specific values to pass. For example, the following code only allows specific fruits to be entered:
$allowed_fruits = array('apple', 'banana', 'orange');
if (in_array($_GET['fruit'], $allowed_fruits)) {
// 输入有效
}Blacklist: Does not allow specific values to pass. For example, the following code prohibits input containing specific keywords:
$disallowed_keywords = array('spam', 'malware', 'virus');
if (stripos($_POST['comment'], $disallowed_keywords) !== false) {
// 输入无效
}Practical case: User registration form
The following is a code example of a user registration form that demonstrates how to Using PHP Input Validation:
<?php
// 验证用户输入
$errors = array();
if (empty($_POST['username'])) {
$errors[] = '用户名不能为空';
}
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$errors[] = '无效的电子邮件地址';
}
if (!validate_password($_POST['password'])) {
$errors[] = '密码强度不足';
}
// 处理已验证的输入
if (empty($errors)) {
// 注册用户
}
?>By following these practices, you can effectively validate user input and ensure the security and integrity of your application.
The above is the detailed content of Correct approach to PHP input validation. For more information, please follow other related articles on the PHP Chinese website!
![Getting Started with PHP Practical Development: PHP Quick Creation [Small Business Forum]](https://img.php.cn/upload/course/000/000/035/5d27fb58823dc974.jpg)
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
