News Feed

News Archive
feed this:

Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

David Müller:
Why URL validation with filter_var might not be a good idea
September 20, 2012 @ 08:09:31

David Müller has a new post to his site today showing why validating URLs with filter_var is a good thing for the security of your application.

Since PHP 5.2 brought us the filter_var function, the time of such [regular expressions-based] monsters was over. [With] the simple, yet effective syntax [and] with a third parameter, filter flags can be passed, [...] 4 flags are available [for URL filtering].

He shows how to use it to filter out a simple XSS issue (a "script" tag in the URL) and some examples of issues that the filter_var function doesn't prevent - like injection of other schemes (like "php://" or "javascript://"). He recommends adding a wrapper around the method to check for the correct scheme (ex. "http" or "https" for URLs) and reminds you that filter_var is not multibyte capable.

0 comments voice your opinion now!
filtervar url validation security filter input
Input Validation Using Filter Functions
June 01, 2012 @ 15:53:28

On today there's a good tutorial that gives you some methods to do one of the most important things in any application - validating input. Their examples show how to use some of PHP's own filter functions to accomplish this.

Filter functions in PHP might not be sexy, but they can improve the stability, security, and even maintainability of your code if you learn how to use them correctly. In this article I'll explain why input validation is important, why using PHPs built-in functions for performing input validation is important, and then throw together some examples (namely using filter_input() and filter_var()), discuss some potential pitfalls, and finish with a nice, juicy call to action.

He talks about why validation is important to protect your application (and users) from malicious things like cross-site scripting. He emphasizes the use of PHP's own filter methods because they are established and, well, included in the language - no additional libraries needed. Example code is included showing how to use them to filter email addresses and check that something is an integer.

You can find out more about these functions on their manual pages: filter_input, filter_var.

0 comments voice your opinion now!
input validation filter tutorial bestpractice filtervar filterinput
Preventing PHP Mail(...) Header Injections
April 22, 2011 @ 11:06:23

On the Dream In Code forums there's a recent post showing you how to prevent mail() header injections when taking user input, like from a form.

PHP's mail() function is a very useful and powerful function, even to the point that it is very easy to exploit. A way hackers exploit this function is a method called email header injection. [...] I'm sure most of you can already tell that's not going to be pretty since we didn't check the user input and so forth. PHP provides us with functions such as filter_var which will validate user input and either return false if the validation fails or return the filtered data.

He includes an example of using this filtering methods to check the user input for malicious information - validating that the "to" address is a valid email (FILTER_VALIDATE_EMAIL) and a sanitize() method that removes things like newlines, carriage returns and a few other characters.

1 comment voice your opinion now!
prevent mail header injection tutorial filtervar sanitize
Revisiting filter_var() and FILTER_VALIDATE_URL
April 04, 2011 @ 08:44:45

From the site today there's a new post that revisits filtering with the filter_var function included with the language. The focus in this article is specifically in validating URLs with the FILTER_VALIDATE_URL flag.

Quite a while ago I looked at using the filter_var() function to validate URL's using the FILTER_VALIDATE_URL flag and someone pointed out recently that this function has not only changed since the initial release, but that a number of flags can be added to change the way that this function works.

He lists some of the other flags that are now available that can be used in conjunction with FILTER_VALIDATE_URL to get more fine-grained in your filtering - checks on things like a required scheme, hostname and query string. He includes some code with a set of URLs to run through some tests and output as a table with the pass/fail rank of each URL value. You can see the resulting output here.

0 comments voice your opinion now!
filtervar url filtervalidateurl scheme hostname path query

Mattias Geniar's Blog:
Input Validation Using filter_var() Over Regular Expressions
February 11, 2009 @ 07:55:30

This recent post to Mattias Geniar's blog takes a look at an alternative to trying to catch every single thing that could be filtered on user input with a regular expression - the filter_var function.

Just about the biggest time-sink on any project, is the amount of input validation that needs to be done. You _have_ to assume your visitor is a maniac serial killer, out to destroy your application. And you have to prevent it. [...] Thus starts our never-ending battle for user input validation. We can't allow it all so we check every value presented to us. But using PHP's filter_var function, this can be made 100x easier!

He includes the long list of filtering types that the function has to offer including sanitizing strings, working with special characters and validating input like email addresses, URLs and IP addresses.

0 comments voice your opinion now!
filtervar regular expressions input validation sanitize

Paul Jones' Blog:
Sanitation with PHP filter_var()
January 17, 2007 @ 15:22:00

In working on a new filter for his Solar framework, Paul Jones discovered that the "float" sanitizer in the new filter extension (PHP 5.2+) doesn't quite work as expected.

I found a problem with the "float" sanitizing function in the 5.2.0 release, and thought others might want to be aware of it. In short, if you allow decimal places, the sanitizer allows any number of decimal points, not just one, and it returns an un-sanitary float.

He includes the text of the bug he submitted as an example of how the error might happen and, despite it being marked bogus, Paul still holds that things are still not working like they should.

You can also check out Pierre-Alain Joye's response to this over on his blog.

0 comments voice your opinion now!
filter extension sanitatinon filtervar float solar framework filter extension sanitatinon filtervar float solar framework

Community Events

Don't see your event here?
Let us know!

wordpress unittest framework voicesoftheelephpant laravel5 threedevsandamaybe development middleware podcast laravel api series library extension opinion community release introduction interview language

All content copyright, 2015 :: - Powered by the Solar PHP Framework