PHP:什么会导致 FILTER_UNSAFE_RAW 变为 return FALSE?
PHP: what could cause FILTER_UNSAFE_RAW to return FALSE?
return从久违的脚本开始,我卡在了突然失败的清理中。
我意外地 returning false
.
在过滤器中发现了问题
这是一个复制我的意外结果的例子:
$test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ];
var_export( filter_var( $test, FILTER_UNSAFE_RAW )); // false
我认为 FILTER_UNSAFE_RAW
应该只是 return 输入(在本例中为数组)不变。
我的 understanding/approach 错了吗?
注意:
我的代码必须严格自力更生并尽可能轻量,因此我只是在需要的地方编写简单的辅助函数,而不是加载第 3 方 libraries/classes。
示例:
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => FILTER_UNSAFE_RAW,
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input )
{
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] )
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' ))
{
...
如您所见,此方法要求 bar
通过清理,即使不需要清理操作。
我是不是误会了FILTER_UNSAFE_RAW
?
它 returns 错误,因为 filter_var()
无法验证数组。 filter_var_array()
就像 运行 filter_var()
每个主题数组的值。您可以尝试使用数组作为 sanitize
数组中 bar
的值,使用 FILTER_UNSAFE_RAW
作为过滤器,使用 FILTER_REQUIRE_ARRAY
作为标志
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
另一件需要注意的事情是,因为你只使用 FILTER_UNSAFE_RAW
而没有指定标志,它什么都不做。所以不消毒它是一样的。尽管它不适用于您的情况,因为它不会传递给验证。
缺少过滤器标志
您似乎没有为 filter_var_array
的清理部分添加正确的标志
无论何时处理数组,都必须包含标志 FILTER_REQUIRE_ARRAY
因此没有标志,您得到的响应是 false
注意: FILTER_UNSAFE_RAW
只是选择性地去除或编码特殊字符。这也是默认过滤器。
例子
$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );
$san['bar'] = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
];
print_r(filter_var_array( $test, $san ));
输出
Array
(
[bar] => Array
(
[0] => apple
[1] => bananna
[2] => orange
[3] => lime
[4] => grape
)
)
已编辑工作代码
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input ) {
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] );
print_r($sanitized);
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' )) {}
return $validated;
}
return从久违的脚本开始,我卡在了突然失败的清理中。
我意外地 returning false
.
这是一个复制我的意外结果的例子:
$test = [ 'apple', 'bananna', 'orange', 'lime', 'grape', ];
var_export( filter_var( $test, FILTER_UNSAFE_RAW )); // false
我认为 FILTER_UNSAFE_RAW
应该只是 return 输入(在本例中为数组)不变。
我的 understanding/approach 错了吗?
注意:
我的代码必须严格自力更生并尽可能轻量,因此我只是在需要的地方编写简单的辅助函数,而不是加载第 3 方 libraries/classes。
示例:
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => FILTER_UNSAFE_RAW,
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input )
{
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] )
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' ))
{
...
如您所见,此方法要求 bar
通过清理,即使不需要清理操作。
我是不是误会了FILTER_UNSAFE_RAW
?
它 returns 错误,因为 filter_var()
无法验证数组。 filter_var_array()
就像 运行 filter_var()
每个主题数组的值。您可以尝试使用数组作为 sanitize
数组中 bar
的值,使用 FILTER_UNSAFE_RAW
作为过滤器,使用 FILTER_REQUIRE_ARRAY
作为标志
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
另一件需要注意的事情是,因为你只使用 FILTER_UNSAFE_RAW
而没有指定标志,它什么都不做。所以不消毒它是一样的。尽管它不适用于您的情况,因为它不会传递给验证。
缺少过滤器标志
您似乎没有为 filter_var_array
无论何时处理数组,都必须包含标志 FILTER_REQUIRE_ARRAY
因此没有标志,您得到的响应是 false
注意: FILTER_UNSAFE_RAW
只是选择性地去除或编码特殊字符。这也是默认过滤器。
例子
$test['bar'] = array( 'apple', 'bananna', 'orange', 'lime', 'grape' );
$san['bar'] = [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
];
print_r(filter_var_array( $test, $san ));
输出
Array
(
[bar] => Array
(
[0] => apple
[1] => bananna
[2] => orange
[3] => lime
[4] => grape
)
)
已编辑工作代码
$filters = [
'sanitize' => [
'foo' => FILTER_SANITIZE_EMAIL,
'bar' => [
'filter' => FILTER_UNSAFE_RAW,
'flags' => FILTER_REQUIRE_ARRAY
],
],
'validate' => [
'foo' => FILTER_VALIDATE_EMAIL,
'bar' => [
'filter' => FILTER_VALIDATE_REGEXP,
'flags' => FILTER_REQUIRE_ARRAY,
'options' => [ 'regexp' => '/(apple|grape)/' ],
],
],
];
$test = [
'malicious' => 'something bad',
'foo' => 'test@ema.il',
'bar' => [ 'apple', 'grape', 'orange', ],
];
// validate
$checked = sanitizeInput( $filters, $test );
// sanitizer
function sanitizeInput( $f, $input ) {
// sanitize
$sanitized = filter_var_array( $input, $f['sanitize'] );
print_r($sanitized);
// validate
$validated = filter_var_array( $sanitized, $f['validate'] );
// if anything appears to have failed validation (was set to FALSE)
if( FALSE !== strpos( json_encode($validated), 'false' )) {}
return $validated;
}