Filtros de validación
Just to clarify, since this may be unknown for a lot of people:
ASCII characters above 126 are known as "Extended" and they represent characters such as greek letters and accented letters in latin alphabets, used in languages such as pt_BR.
A good ASCII quick reference (aside from the already mentioned Wikipedia article) can be found at: http://www.asciicodes.com/
Filtros de saneamiento
| ID | Nombre | Opciones | Banderas | Descripción |
|---|---|---|---|---|
FILTER_SANITIZE_EMAIL |
"email" | Elimina todos los caracteres menos letras, dígitos y !#$%&'*+-/=?^_`{|}~@.[]. | ||
FILTER_SANITIZE_ENCODED |
"encoded" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH
|
String URL-encode, opcionalmente elimina o codifica caracteres especiales. | |
FILTER_SANITIZE_MAGIC_QUOTES |
"magic_quotes" | Aplica addslashes(). | ||
FILTER_SANITIZE_NUMBER_FLOAT |
"number_float" |
FILTER_FLAG_ALLOW_FRACTION,
FILTER_FLAG_ALLOW_THOUSAND,
FILTER_FLAG_ALLOW_SCIENTIFIC
|
Elimina todos los caracteres a excepción de los dígitos, +- y, opcionalmente, .,eE. | |
FILTER_SANITIZE_NUMBER_INT |
"number_int" | Elimina todos los caracteres excepto dígitos y los signos de suma y resta. | ||
FILTER_SANITIZE_SPECIAL_CHARS |
"special_chars" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_HIGH
|
Escapa caracteres HTML '"<>& y caracteres con valores ASCII menores que 32, opcionalmente elimina o codifica caracteres especiales. | |
FILTER_SANITIZE_FULL_SPECIAL_CHARS |
"full_special_chars" |
FILTER_FLAG_NO_ENCODE_QUOTES,
|
Equivalente a llamar a htmlspecialchars() con ENT_QUOTES establecido. Las comillas de codificación pueden
ser desactivadas mediante el establecimiento de FILTER_FLAG_NO_ENCODE_QUOTES. Al igual que htmlspecialchars(),
este filtro tiene en cuenta el default_charset y si en una secuencia de bytes se detecta que
contiene un carácter no válido en el conjunto de caracteres actual entonces el string completo es rechazado lo que resulta en un string de longitud 0.
Cuando se utiliza este filtro como un filtro predeterminado, vea la advertiencia de abajo sobre establecer las banderas predeterminadas a 0.
|
|
FILTER_SANITIZE_STRING |
"string" |
FILTER_FLAG_NO_ENCODE_QUOTES,
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH,
FILTER_FLAG_ENCODE_AMP
|
Elimina etiquetas, opcionalmente elimina o codifica caracteres especiales. | |
FILTER_SANITIZE_STRIPPED |
"stripped" | Alias del filtro "string". | ||
FILTER_SANITIZE_URL |
"url" | Elimina todos los caracteres excepto letras, dígitos y $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=. | ||
FILTER_UNSAFE_RAW |
"unsafe_raw" |
FILTER_FLAG_STRIP_LOW,
FILTER_FLAG_STRIP_HIGH,
FILTER_FLAG_ENCODE_LOW,
FILTER_FLAG_ENCODE_HIGH,
FILTER_FLAG_ENCODE_AMP
|
No hace nada, opcionalmente elimina o codifica caracteres especiales. |
Advertencia
Cuando se utiliza uno de estos tres filtros como un filtro predetermindo a través de fichero ini
o de la configuración del servidor web, las banderas predeterminadas son establecidas a
FILTER_FLAG_NO_ENCODE_QUOTES. Se necesita establecer explícitamente
filter.default_flags a 0 para tener la codificación de comillas por omisión. Como esto:
Ejemplo #1 Configurar el filtro predeterminado para que actúe como htmlspecialchars
filter.default = full_special_chars
filter.default_flags = 0
add a note
User Contributed Notes
Filtros de saneamiento - [9 notes]
galvao at galvao dot eti dot br ¶
2 months ago
googlybash24 at aol dot com ¶
8 months ago
Remember to trim() the $_POST before your filters are applied:
<?php
// We trim the $_POST data before any spaces get encoded to "%20"
// Trim array values using this function "trim_value"
function trim_value(&$value)
{
$value = trim($value); // this removes whitespace and related characters from the beginning and end of the string
}
array_filter($_POST, 'trim_value'); // the data in $_POST is trimmed
$postfilter = // set up the filters to be used with the trimmed post array
array(
'user_tasks' => array('filter' => FILTER_SANITIZE_STRING, 'flags' => !FILTER_FLAG_STRIP_LOW), // removes tags. formatting code is encoded -- add nl2br() when displaying
'username' => array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW), // we are using this in the url
'mod_title' => array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW), // we are using this in the url
);
$revised_post_array = filter_var_array($_POST, $postfilter); // must be referenced via a variable which is now an array that takes the place of $_POST[]
echo (nl2br($revised_post_array['user_tasks'])); //-- use nl2br() upon output like so, for the ['user_tasks'] array value so that the newlines are formatted, since this is our HTML <textarea> field and we want to maintain newlines
?>
marcus at synchromedia dot co dot uk ¶
3 years ago
It's not entirely clear what the LOW and HIGH ranges are. LOW is characters below 32, HIGH is those above 127, i.e. outside the ASCII range.
<?php
$a = "\tcafé\n";
//This will remove the tab and the line break
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
//This will remove the é.
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
?>
adellemfrank at hotmail dot com ¶
10 months ago
A good list of which ASCII characters are < 32 and > 127 can be found at: http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
roberto dot cr at gmail dot com ¶
2 days ago
Just to fix galvao's note: Extended Ascii starts at 128.
googlybash24 at aol dot com ¶
8 months ago
This should help with most simple "textarea" fields in post forms.
Removing user html tags while maintaining text formatting such as newlines and carriage returns involves using the FILTER_SANITIZE_STRING filter ID with the flag !FILTER_FLAG_STRIP_LOW. The formatting text (the low ASCII values under decimal 32) are encoded because of the included FILTER_FLAG_ENCODE_LOW flag, but you are now preventing these from being removed. When you want to display the value on the page back in its intended format, use nl2br() so the encoded newlines are formatted properly on the page.
This example cleans $_POST data from a textarea field with the name "user_tasks" on a previous html form, stripping tags but maintaining formatting (at least for newlines):
<?php
$postfilter =
array(
'user_tasks' => array('filter' => FILTER_SANITIZE_STRING, 'flags' => !FILTER_FLAG_STRIP_LOW), // removes tags. formatting code is encoded -- add nl2br() when displaying
);
$revised_post_array = filter_input_array(INPUT_POST, $postfilter); // must be referenced via a variable which is now an array that takes the place of $_POST[]
echo (nl2br($revised_post_array['user_tasks'])); // here we use nl2br() for the displayed value, for the ['user_tasks'] array value so that the newlines are formatted
?>
scamber256 at hotmail dot de ¶
1 year ago
Just a hint I tested,
You can obtain all the chars <32 (so newline and c.return), by using not operator > !FILTER_FLAG_STRIP_LOW as the last argument.
Example:
filter_input(INPUT_GET,'test',FILTER_SANITIZE_STRING,!FILTER_FLAG_STRIP_LOW);
The filter keeps working as before removing anything else as before apart from FILTER_FLAG_STRIP_LOW.
Just filter those "bad" chars <32 manually you don't want.
Dmitry Snytkine ¶
2 years ago
Beware that FILTER_FLAG_STRIP_LOW strips NEWLINE and TAG and CARRIAGE RETURN chars. If you have a form that accepts user input in plaintext format, all the submitted text will lose all the line breaks, making it appear all on one line. This basically renders this filter useless for parsing user-submitted text, even in plain text.