定義済み定数
--quoted from filter.txt in the source code
* As the input filter acts on input data before the magic quotes function
mangles data, all access through the filter() function will not have any
quotes or slashes added - it will be the pure data as send by the browser.
Filter 関数
目次
- filter_has_var — 指定した型の変数が存在するかどうかを調べる
- filter_id — フィルタの名前からフィルタ ID を返す
- filter_input_array — 外部から変数を受け取り、オプションでそれらをフィルタリングする
- filter_input — 指定した名前の変数を外部から受け取り、オプションでそれをフィルタリングする
- filter_list — サポートされるフィルタの一覧を返す
- filter_var_array — 複数の変数を受け取り、オプションでそれらをフィルタリングする
- filter_var — 指定したフィルタでデータをフィルタリングする
add a note
User Contributed NotesFilter 関数
Anonymous
24-Dec-2008 06:08
24-Dec-2008 06:08
Jovan Suervo
26-Nov-2007 10:35
26-Nov-2007 10:35
It seems that all FILTER_VALIDATE_URL is doing is calling parse_url(), which makes it effectively useless since parse_url() only fails on really malformed urls.
<?php
$url = 'http://...';
var_dump(filter_var($url, FILTER_VALIDATE_URL));
?>
Will display: string(10) "http://..."
None of the flags help either, so you're better off with regular expressions to validate a url.
fumble1 at web dot de
12-Aug-2007 07:54
12-Aug-2007 07:54
I recommend you to use the FILTER_REQUIRE_SCALAR (or FILTER_REQUIRE_ARRAY) flags, since you can use array-brackets both to access string offsets and array-element -- however, not only this can lead to unexpected behaviour. Look at this example:
<?php
$image = basename(filter_input(INPUT_GET, 'src', FILTER_UNSAFE_RAW, FILTER_FLAG_STRIP_LOW));
// further checks
?>
/script.php?src[0]=foobar will cause a warning. :-(
Hence my recommendation:
<?php
$image = basename(filter_input(INPUT_GET, 'src', FILTER_UNSAFE_RAW, FILTER_REQUIRE_SCALAR | FILTER_FLAG_STRIP_LOW));
// further checks
?>
Richard Davey rich at corephp dot co dot uk
13-Jun-2007 08:15
13-Jun-2007 08:15
There is an undocumented filter flag for FILTER_VALIDATE_BOOLEAN. The documentation implies that it will return NULL if the value doesn't match the allowed true/false values. However this doesn't happen unless you give it the FILTER_NULL_ON_FAILURE flag like this:
<?php
$value = 'car';
$result = filter_var($value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
?>
In the above $result will equal NULL. Without the extra flag it would equal FALSE, which isn't usually a desired result for this specific filter.
ckroll at rightmedia dot com
08-May-2007 05:02
08-May-2007 05:02
Beware, the FILTER_SANITIZE_STRING flag functions much like strip_tags, so < will get filtered from input regardless of it's actually part of a tag. We were getting unexepected results with a graphic library we wrote when trying to print < on a dynamic button. The url came in something like ?string=%3C (<) but after filter ran it was empty. To get around this, you could use FILTER_UNSAFE_RAW on that one param.
user
02-Feb-2007 09:15
02-Feb-2007 09:15
Below is some code using filter API to restrict access to LAN by IPv4 private address range.
These notes may save someone else a little time:
filter_input_array() is useless for running multiple filters on the same key.
No way to chain or negate filters.
<?php
/* Merciful comment! */
function FILTER_NEGATE_HACK($_){ return (bool)!$_; }
function client_is_private_ipv4(){
return (filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP, FILTER_FLAG_IPV4) &&
FILTER_NEGATE_HACK(filter_input(INPUT_SERVER, 'REMOTE_ADDR', FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE));
}
if (! client_is_private_ipv4())
exit('This application is restricted to local network users');
?>
vojtech at x dot cz
21-Dec-2006 03:38
21-Dec-2006 03:38
Also notice that filter functions are using only the original variable values passed to the script even if you change the value in super global variable ($_GET, $_POST, ...) later in the script.
<?php
echo filter_input(INPUT_GET, 'var'); // print 'something'
echo $_GET['var']; // print 'something'
$_GET['var'] = 'changed';
echo filter_input(INPUT_GET, 'var'); // print 'something'
echo $_GET['var']; // print 'changed'
?>
In fact, external data are duplicated in SAPI before the script is processed and filter functions don't use super globals anymore (as explained in Filter tutorial bellow, section 'How does it work?').
vojtech at x dot cz
21-Dec-2006 02:13
21-Dec-2006 02:13
Just to note that "server and env support may not work in all sapi, for filter 0.11.0 or php 5.2.0" as mentioned in Filter tutorial bellow.
The workaround is obvious:
Instead of
<?php
$var = filter_input(INPUT_SERVER, 'SERVER_NAME', FILTER_DEFAULT);
?>
use
<?php
$var = filter_var(isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : NULL, FILTER_DEFAULT);
?>
kevin at oceania dot net
12-Nov-2006 06:34
12-Nov-2006 06:34
Examples of ALL filters and flags here:
http://phpro.org/tutorials/Filtering-Data-with-PHP.html
philip at php dot net
01-Nov-2006 03:00
01-Nov-2006 03:00
Filter tutorial here:
* http://devzone.zend.com/node/view/id/1113