2017-10-28 15:40:59 +00:00

757 lines
24 KiB

<?xml version="1.0" encoding="utf-8"?>
<!-- $Revision$ -->
<chapter xml:id="filter.filters" xmlns="" xmlns:xlink="">
<title>Types of filters</title>
<!--Validate filters: {{{-->
<section xml:id="filter.filters.validate">
<title>Validate filters</title>
<title>Listing of filters for validation</title>
<tgroup cols="5">
Returns &true; for "1", "true", "on" and "yes".
Returns &false; otherwise.
If <constant>FILTER_NULL_ON_FAILURE</constant> is set, &false; is
returned only for "0", "false", "off", "no", and "", and
&null; is returned for all non-boolean values.
Validates whether the value is a valid e-mail address.
In general, this validates e-mail addresses against the syntax in
RFC 822, with the exceptions that comments and whitespace folding
and dotless domain names
are not supported.
<entry>Validates value as float, and converts to float on success.</entry>
<entry>Validates value as integer, optionally from the specified range, and converts to int on success.</entry>
Validates value as IP address, optionally only IPv4 or IPv6 or not
from private or reserved ranges.
<entry>Validates value as MAC address.</entry>
Validates value against <parameter>regexp</parameter>, a
<link linkend="book.pcre">Perl-compatible</link> regular expression.
<entry>Validates value as URL (according to <link xlink:href="&url.rfc;2396">&url.rfc;2396</link>), optionally with required components. Beware a valid URL may not specify the HTTP protocol <literal>http://</literal> so further validation may be required to determine the URL uses an expected protocol, e.g. <literal>ssh://</literal> or <literal>mailto:</literal>. Note that the function will only find ASCII URLs to be valid; internationalized domain names (containing non-ASCII characters) will fail.</entry>
As of PHP 5.4.11, the numbers +0 and -0 validate as both integers as well
as floats (using <constant>FILTER_VALIDATE_FLOAT</constant> and
<constant>FILTER_VALIDATE_INT</constant>). Before PHP 5.4.11 they only
validated as floats (using <constant>FILTER_VALIDATE_FLOAT</constant>).
When <parameter>default</parameter> is set to option, <parameter>default</parameter>'s value is used if value is not validated.
<simplesect role="changelog">
<tgroup cols="2">
Added <constant>FILTER_VALIDATE_MAC</constant>
<constant>FILTER_VALIDATE_URL</constant> now implicitly uses
<constant>FILTER_FLAG_SCHEME_REQUIRED</constant> and
<!-- Sanitize filters: {{{-->
<section xml:id="filter.filters.sanitize">
<title>Sanitize filters</title>
<title>List of filters for sanitization</title>
<tgroup cols="5">
Remove all characters except letters, digits and
<entry>URL-encode string, optionally strip or encode special characters.</entry>
<entry>Apply <function>addslashes</function>.</entry>
Remove all characters except digits, <literal>+-</literal> and
optionally <literal>.,eE</literal>.
Remove all characters except digits, plus and minus sign.
HTML-escape <literal>'"&lt;&gt;&amp;</literal> and characters with
ASCII value less than 32, optionally strip or encode other special
Equivalent to calling <function>htmlspecialchars</function> with <constant>ENT_QUOTES</constant> set. Encoding quotes can
be disabled by setting <constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>. Like <function>htmlspecialchars</function>, this
filter is aware of the <link linkend="ini.default-charset">default_charset</link> and if a sequence of bytes is detected that
makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
When using this filter as a default filter, see the warning below about setting the default flags to 0.
<entry>Strip tags, optionally strip or encode special characters.</entry>
<entry>Alias of "string" filter.</entry>
Remove all characters except letters, digits and
Do nothing, optionally strip or encode special characters. This
filter is also aliased to <constant>FILTER_DEFAULT</constant>.
When using one of these filters as a default filter either through your ini file
or through your web server's configuration, the default flags is set to
<constant>FILTER_FLAG_NO_ENCODE_QUOTES</constant>. You need to explicitly set
filter.default_flags to 0 to have quotes encoded by default. Like this:
<title>Configuring the default filter to act like htmlspecialchars</title>
<programlisting role="php">
filter.default = full_special_chars
filter.default_flags = 0
<simplesect role="changelog">
<tgroup cols="2">
Slashes (<literal>/</literal>) are removed by
<constant>FILTER_SANITIZE_EMAIL</constant>. Prior they were retained.
<!-- Other filters: {{{-->
<section xml:id="filter.filters.misc">
<title>Other filters</title>
<title>List of miscellaneous filters</title>
<tgroup cols="5">
<entry><type>callable</type> function or method</entry>
<entry>Call user-defined function to filter data.</entry>
<!-- Filter flags: {{{-->
<section xml:id="filter.filters.flags">
<title>Filter flags</title>
<title>List of filter flags</title>
<tgroup cols="3">
<entry>Used with</entry>
Strips characters that have a numerical value &lt;32.
Strips characters that have a numerical value &gt;127.
Strips backtick characters.
Allows a period (<literal>.</literal>) as a fractional separator in
Allows a comma (<literal>,</literal>) as a thousands separator in
Allows an <literal>e</literal> or <literal>E</literal> for scientific
notation in numbers.
If this flag is present, single (<literal>'</literal>) and double
(<literal>"</literal>) quotes will not be encoded.
Encodes all characters with a numerical value &lt;32.
Encodes all characters with a numerical value &gt;127.
Encodes ampersands (<literal>&amp;</literal>).
Returns &null; for unrecognized boolean values.
Regards inputs starting with a zero (<literal>0</literal>) as octal
numbers. This only allows the succeeding digits to be
Regards inputs starting with <literal>0x</literal> or
<literal>0X</literal> as hexadecimal numbers. This only allows
succeeding characters to be <literal>a-fA-F0-9</literal>.
Allows the local part of the email address to contain Unicode characters.
Allows the IP address to be in IPv4 format.
Allows the IP address to be in IPv6 format.
Fails validation for the following private IPv4 ranges:
<literal></literal>, <literal></literal> and
Fails validation for the IPv6 addresses starting with
<literal>FD</literal> or <literal>FC</literal>.
Fails validation for the following reserved IPv4 ranges:
<literal></literal>, <literal></literal>,
<literal></literal> and <literal></literal>.
Fails validation for the following reserved IPv6 ranges:
<literal>::1/128</literal>, <literal>::/128</literal>,
<literal>::ffff:0:0/96</literal> and <literal>fe80::/10</literal>.
Requires the <acronym>URL</acronym> to contain a scheme part.
Requires the <acronym>URL</acronym> to contain a host part.
Requires the <acronym>URL</acronym> to contain a path part.
Requires the <acronym>URL</acronym> to contain a query string.
Requires the value to be scalar.
Requires the value to be an array.
If the value is a scalar, it is treated as array with the scalar value
as only element.
<simplesect role="changelog">
<tgroup cols="2">
<constant>FILTER_FLAG_EMAIL_UNICODE</constant> has been added.
<constant>FILTER_FLAG_STRIP_BACKTICK</constant> has been added.
<constant>FILTER_FLAG_NO_RES_RANGE</constant> supports also IPv6 addresses.
<!-- Keep this comment at the end of the file
Local variables:
mode: sgml
vim600: syn=xml fen fdm=marker fdl=2 si
vim: et tw=78 syn=sgml
vi: ts=1 sw=1