Is this link sufficent for example for input filtering form data? With a post for example?
<?php
$var=300;
$int_options = array(
"options"=>array
(
"min_range"=>0,
"max_range"=>256
)
);
if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
{
echo("Integer is not valid");
}
else
{
echo("Integer is valid");
}
?>
What is the most common kind of filtering? Like sanitizing strings and numbers. I use preg_match for validation of email fields on the server side and regular expression checks in javascript. I’m no validation nazi but would like to have some sort of filtering for the most common things.
These kind of things I think I could abstract away in my application with some public static functions in a class for example, like this
Validate::String($str);
Validate::Interger($int);
What do you think about that?
filter_var() is a good start. If you are planning on using these inputs in any type of SQL statement, you should look into properly sanitizing it for that, too.
PDO with prepared statements, mysql_real_escape_string or any other db wrapper (MBD2, etc…) should provide this functionality for you.
I guess the key idea here is that there is a difference between filtering and sanitizing data, and there are different levels of doing each. It’s very much a multi-part process.
For filtering, you could do a type check (is this an int?) and then validate that the input meets your criteria (is this int between 1 and 128?)
You’ll also need to sanitize the data. htmlspecialchars for output, some proper quoting and escaping for use in SQL.