PHP Security Triathlon: Filtering, Validation and Escaping -Validation
2 Validation data
PHP native implementation
Validating input data is also important. Unlike filtering, validation does not remove information from the input data, but only confirms that user input is as expected. If you enter an email address, make sure the user enters an email address; if you need a phone number, make sure the user enters a phone number, which is what verification does.
The verification is to ensure that the correct data conforming to a specific format is stored in the storage layer of the application. If invalid data is encountered, the data storage operation should be suspended and the corresponding error message displayed to remind the user to enter the correct data. Validation also avoids potential database errors. For example, if MySQL expects DATETIME a value of type and provides a DATE string, then MySQL will report an error or use the default value. Regardless of the processing method, the integrity of the application is subject to invalid data Destruction.
To implement input data validation, we can pass an FILTER_VALIDATE_*identifier to the filter_var function. PHP provides identifiers for validating Boolean values, email addresses, floating point numbers, integers, IPs, regular expressions, and URLs (see http://php.net/manual/en/filter.filters.validate.php). The following example shows how to verify an email address:
<?php
$input = 'louieperry@morioh.com';
$isEmail = filter_var($input, FILTER_VALIDATE_EMAIL);
if ($isEmail !== FALSE) {
echo 'success';
} else {
echo 'failed';
}
We should pay special attention to filter_var the return value. If the verification is successful, the value to be verified is returned false. If the verification fails, it is returned .
With the help of PHP components
Although the filter_var function provides a lot of identifications for verification, it is a novelty and cannot be eaten all over the world. We cannot rely on it to verify all data. In addition to the filter_var function, there are the following components to help us complete more complex verification functions:
Note: The input data is both validated and filtered to ensure that it is as expected and secure.
Data validation implementation in Laravel
Most of the scenarios for data validation are on form submissions. Laravel also provides a wealth of methods for verifying user submitted data, which can meet almost any need. Here we briefly discuss its underlying implementation logic. Taking user registration as an example, AuthController a validator method is defined in:
This rule will be used when registering new users. Laravel uses | to separate multiple validation rules. For email example, this rule indicates that the email field is required, it must be an email address, the maximum length is 255, and it is in the users table. only one. Let’s look at the implementation of the entire verification process. The validator method is called in RegistersUsers Trait (Illuminate\Foundation\Auth\RegistersUsers):
The method is called first AuthController of validator method complete Validator(Illuminate\Validation\Validator. Initialization work and then call validatorinstancefailsmethod validation failed,failesmethod will be called againpasses` method:
passes The method will eventually iterate through each rule (converted to an array at initialization) and call validate method:
You can see here that the verification method corresponding to each rule is finally assembled and called. For email example, the final composition method is validateEmail that this verification method Validator has been defined in (in fact, each Rules can find the corresponding verification method here):
Through the code we see that the PHP provided by this is called filter_var and passed in the FILTER_VALIDATE_EMAIL identity to verify whether the incoming field is a valid email address. Regarding the implementation of other validation rules, interested students can study Validator this class.
#php #laravel #validation
