Correct approach to PHP input validation-PHP Tutorial-php.cn

Correct approach to PHP input validation

王林

Release： 2024-05-05 08:12:01

Original

589 people have browsed it

PHP input verification method: use PHP built-in functions (filter_var, preg_match), use regular expressions (such as verifying password strength), use whitelists or blacklists (limit or prohibit specific input values)

PHP 输入验证的正确做法

Proper Practices of PHP Input Validation

Input validation is crucial in web applications because it prevents malicious or invalid input from causing damage to the application. PHP provides a variety of built-in functions and techniques to validate input efficiently.

1. Use PHP built-in functions

PHP has several built-in useful functions to filter and validate input, for example:

// 过滤用户输入中的 HTML 标记
$filtered_input = filter_var($_POST['input'], FILTER_SANITIZE_SPECIAL_CHARS);

// 验证电子邮件地址
$is_email_valid = filter_var($_GET['email'], FILTER_VALIDATE_EMAIL);

Copy after login

2. Use regular expressions

Regular expressions are a powerful pattern that can be used to validate complex input. Here's how to verify password strength using regular expressions:

function validate_password($password) {
  $regex = '/^(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[!@#$%^&*]).{8,}$/';
  return preg_match($regex, $password);
}

Copy after login

3. Use a whitelist or blacklist

If the input has an explicit allowed or disallowed value, Verification can be done using a whitelist or a blacklist.

Whitelist: Only allow specific values to pass. For example, the following code only allows specific fruits to be entered:

$allowed_fruits = array('apple', 'banana', 'orange');
if (in_array($_GET['fruit'], $allowed_fruits)) {
  // 输入有效
}

Copy after login

Blacklist: Does not allow specific values to pass. For example, the following code prohibits input containing specific keywords:

$disallowed_keywords = array('spam', 'malware', 'virus');
if (stripos($_POST['comment'], $disallowed_keywords) !== false) {
  // 输入无效
}

Copy after login

Practical case: User registration form

The following is a code example of a user registration form that demonstrates how to Using PHP Input Validation:

<?php
// 验证用户输入
$errors = array();

if (empty($_POST['username'])) {
  $errors[] = '用户名不能为空';
}

if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
  $errors[] = '无效的电子邮件地址';
}

if (!validate_password($_POST['password'])) {
  $errors[] = '密码强度不足';
}

// 处理已验证的输入
if (empty($errors)) {
  // 注册用户
}
?>

Copy after login

By following these practices, you can effectively validate user input and ensure the security and integrity of your application.

The above is the detailed content of Correct approach to PHP input validation. For more information, please follow other related articles on the PHP Chinese website!