| layout | upgrade | title | keywords |
|---|---|---|---|
default |
#filter |
Filter |
filter, sanitize |
Sanitizing user input is a critical part of software development. Trusting or neglecting to sanitize user input could lead to unauthorized access to the content of your application, mainly user data, or even the server your application is hosted on.
Sanitizing content can be achieved using the Phalcon\Filter and Phalcon\Filter\FilterFactory classes.
This component creates a new locator with predefined filters attached to it. Each filter is lazy loaded for maximum performance. To instantiate the factory and retrieve the Phalcon\Filter with the preset sanitizers you need to call newInstance()
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();You can now use the locator wherever you need and sanitize content as per the needs of your application.
The Phalcon\Filter component implements a locator service and can be used as a stand alone component, without initializing the built-in filters.
<?php
use MyApp\Sanitizers\HelloSanitizer;
use Phalcon\Filter;
$services = [
'hello' => HelloSanitizer::class,
];
$locator = new Filter($services);
$text = $locator->hello('World');NOTE: The Phalcon\Di\FactoryDefault container already has a Phalcon\Filter object loaded with the predefined sanitizers. The component can be accessed using the
filtername.{: .alert .alert-info }
NOTE: Where appropriate, the sanitizers will cast the value to the type expected. For example the
absintsanitizer will remove all non numeric characters from the input, cast the input to an integer and return its absolute value.{: .alert .alert-warning }
The following are the built-in filters provided by this component:
AbsInt( mixed $input ): intRemoves any non numeric characters, casts the value to integer and returns its absolute value. Internally it uses [filter_var] for the integer part, intval for casting and absint.
Alnum( mixed $input ): string | arrayRemoves all characters that are not numbers or characters of the alphabet. It uses preg_replace which can also accept arrays of strings as the parameters.
Alpha( mixed $input ): string | arrayRemoves all characters that are not characters of the alphabet. It uses preg_replace which can also accept arrays of strings as the parameters.
BoolVal( mixed $input ): boolCasts the value to a boolean.
It also returns true if the value is:
trueonyesy1
It also returns false if the value is:
falseoffnon0
Email( mixed $input ): stringRemoves all characters except letters, digits and !#$%&*+-/=?^_`{\|}~@.[]. Internally it uses filter_var with FILTER_FLAG_EMAIL_UNICODE.
FloatVal( mixed $input ): floatRemoves all characters except digits, dot, plus and minus sign and casts the value as a double. Internally it uses filter_var and (double).
IntVal( mixed $input ): intRemove all characters except digits, plus and minus sign and casts the value as an integer. Internally it uses filter_var and (int).
Lower( mixed $input ): stringConverts all characters to lowercase. If the mbstring extension is loaded, it will use mb_convert_case to perform the transformation. As a fallback it uses the strtolower PHP function, with utf8_decode.
LowerFirst( mixed $input ): stringConverts the first character of the input to lower case. Internally it uses lcfirst.
Regex( mixed $input, mixed $pattern, mixed $replace ): stringPerforms a regex replacement on the input using a pattern and the replace parameter. Internally it uses preg_replace.
Remove( mixed $input, mixed $replace ): stringPerforms a replacement on the input, replacing the replace parameter with an empty string, effectively removing it. Internally it uses str_replace.
Replace( mixed $input, mixed $from, mixed $to ): stringPerforms a replacement on the input based on the from and to passed parameters. Internally it uses str_replace.
Special( mixed $input ): stringEscapes all HTML characters of the input, as well as '"<>& and characters with ASCII value less than 32. Internally it uses filter_var.
SpecialFull( mixed $input ): stringConverts all the special characters of the input to HTML entities (both double and single quotes). Internally it uses filter_var.
StringVal( mixed $input ): stringStrip tags and encode HTML entities, including single and double quotes. Internally it uses filter_var.
StripTags( mixed $input ): intRemoves all HTML and PHP tags from the input. Internally it uses strip_tags.
Trim( mixed $input ): stringRemoves all leading and trailing whitespace from the input. Internally it uses trim.
Upper( mixed $input ): stringConverts all characters to uppercase. If the mbstring extension is loaded, it will use mb_convert_case to perform the transformation. As a fallback it uses the strtoupper PHP function, with utf8_decode.
UpperFirst( mixed $input ): stringConverts the first character of the input to upper case. Internally it uses ucfirst.
UpperWords( mixed $input ): stringConverts into uppercase the first character of each word from the input. Internally it uses ucwords.
Url( mixed $input ): stringConstants are available and can be used to define the type of sanitizing required:
<?php
const FILTER_ABSINT = 'absint';
const FILTER_ALNUM = 'alnum';
const FILTER_ALPHA = 'alpha';
const FILTER_BOOL = 'bool';
const FILTER_EMAIL = 'email';
const FILTER_FLOAT = 'float';
const FILTER_INT = 'int';
const FILTER_LOWER = 'lower';
const FILTER_LOWERFIRST = 'lowerFirst';
const FILTER_REGEX = 'regex';
const FILTER_REMOVE = 'remove';
const FILTER_REPLACE = 'replace';
const FILTER_SPECIAL = 'special';
const FILTER_SPECIALFULL = 'specialFull';
const FILTER_STRING = 'string';
const FILTER_STRIPTAGS = 'striptags';
const FILTER_TRIM = 'trim';
const FILTER_UPPER = 'upper';
const FILTER_UPPERFIRST = 'upperFirst';
const FILTER_UPPERWORDS = 'upperWords';
const FILTER_URL = 'url';Sanitizing is the process which removes specific characters from a value, that are not required or desired by the user or application. By sanitizing input we ensure that application integrity will be intact.
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();
// 'someone@example.com'
$locator->sanitize('some(one)@exa\mple.com', 'email');
// 'hello'
$locator->sanitize('hello<<', 'string');
// '100019'
$locator->sanitize('!100a019', 'int');
// '100019.01'
$locator->sanitize('!100a019.01a', 'float');You can access the Phalcon\Filter object from your controllers when accessing GET or POST input data (through the request object). The first parameter is the name of the variable to be obtained; the second is the sanitizer to be applied on it. The second parameter can also be an array with any number of sanitizers that you want to apply.
<?php
use Phalcon\Filter;
use Phalcon\Http\Request;
use Phalcon\Mvc\Controller;
/**
* Class ProductsController
*
* @property Request $request
*/
class ProductsController extends Controller
{
public function saveAction()
{
if (true === $this->request->isPost()) {
$price = $this->request->getPost('price', 'double');
$email = $this->request->getPost(
'customerEmail',
Filter::FILTER_EMAIL
);
}
}
}If you have used the Phalcon\Di\FactoryDefault as your DI container, the Phalcon\Filter is already registered for you with the default sanitizers. To access it we can use the name filter. If you do not use the Phalcon\Di\FactoryDefault container, you will need to set the service up in it, so that it can be accessible in your controllers.
We can sanitize values passed into controller actions as follows:
<?php
use Phalcon\Filter;
use Phalcon\Mvc\Controller;
/**
* Class ProductsController
*
* @property Filter $filter
*/
class ProductsController extends Controller
{
public function showAction($productId)
{
$productId = $this->filter->sanitize($productId, 'absint');
}
}The Phalcon\Filter both filters and sanitizes data, depending on the sanitizers used. For instance the trim sanitizer will remove all leading and trailing whitespace, leaving the remaining input unchanged. The description of each sanitizer (see Built-in Sanitizers) can help you to understand and use the sanitizers according to your needs.
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();
// 'Hello'
$locator->sanitize('<h1>Hello</h1>', 'striptags');
// 'Hello'
$locator->sanitize(' Hello ', 'trim');You can add your own sanitizers to Phalcon\Filter. The sanitizer can be an anonymous function when initializing the locator:
<?php
use Phalcon\Filter;
$services = [
'md5' => function ($input) {
return md5($input);
},
];
$locator = new Filter($services);
$sanitized = $locator->sanitize($value, 'md5');If you already have an instantiated filter locator object (for instance if you have used the Phalcon\Filter\FilterFactory and newInstance()), then you can simply add the custom filter:
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();
$locator->set(
'md5',
function ($input) {
return md5($input);
}
);
$sanitized = $locator->sanitize($value, 'md5');Or, if you prefer, you can implement the filter in a class:
<?php
use Phalcon\Filter\FilterFactory;
class IPv4
{
public function __invoke($value)
{
return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
}
}
$factory = new FilterFactory();
$locator = $factory->newInstance();
$locator->set(
'ipv4',
new Ipv4()
);
// Sanitize with the 'ipv4' filter
$filteredIp = $locator->sanitize('127.0.0.1', 'ipv4');There are times where one sanitizer is not enough for your data. For instance a very common usage is the striptags and trim sanitizers for text input. The Phalcon\Filter component offers the ability to accept an array of names for sanitizers to be applied on the input value. The following example demonstrates this:
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();
// Returns 'Hello'
$locator->sanitize(
' <h1> Hello </h1> ',
[
'striptags',
'trim',
]
);Note that this feature also works on the Phalcon\Http\Request object, when calling methods to retrieve data from GET and POST, namely getQuery() and getPost().
<?php
use Phalcon\Filter;
use Phalcon\Http\Request;
use Phalcon\Mvc\Controller;
/**
* Class ProductsController
*
* @property Request $request
*/
class ProductsController extends Controller
{
public function saveAction()
{
if (true === $this->request->isPost()) {
$message = $this->request->getPost(
' <h1> Hello </h1> ',
[
'striptags',
'trim',
]
);
}
}
}A custom sanitizer can be implemented as as an anonymous function. If however you prefer to use a class per sanitizer, all you need to do is make it a callable by implementing the __invoke method with the relevant parameters.
<?php
use Phalcon\Filter\FilterFactory;
$factory = new FilterFactory();
$locator = $factory->newInstance();
$locator->set(
'md5',
function ($input) {
return md5($input);
}
);
$sanitized = $locator->sanitize($value, 'md5');Or, if you prefer, you can implement the sanitizer in a class:
<?php
use Phalcon\Filter\FilterFactory;
class IPv4
{
public function __invoke($value)
{
return filter_var($value, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
}
}
$factory = new FilterFactory();
$locator = $factory->newInstance();
$locator->set(
'ipv4',
function () {
return new Ipv4();
}
);
// Sanitize with the 'ipv4' filter
$filteredIp = $locator->sanitize('127.0.0.1', 'ipv4');