What is the difference between sanitize and filter in PHP?

6

Making a security class for PHP I noticed the existence of two similar constants, such as: FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT .

The pattern follows in email , string and other validations. What is the difference between these two constants? When to use one or the other?

Would the following method be 'correct' for safer validation?

public static function int($name)
{
    $_POST[$name] = filter_input(INPUT_POST, $name, FILTER_SANITIZE_NUMBER_INT);

    if(filter_var($_POST[$name], FILTER_VALIDATE_INT))
        return true;
    return false;
}

There are standard methods in PHP , such as is_int() and is_integer() , but it seems to be less reliable. (I'm not sure)

    
asked by anonymous 08.07.2016 / 16:39

1 answer

10

The difference between FILTER_SANITIZE_* and FILTER_VALIDATE_* ", is that the first attempts to 'convert' an entry into a specific 'secure' format using very specific rules. This modification does not guarantee a valid output. The second one checks if the entry is within the established pattern ( int , e-mail, ip etc).

It is important to consult the documentation before using these constants in conjunction with their functions, as your treatment criteria may be totally different from that provided by the language, see examples below .

FILTER_SANITIZE_NUMBER_INT

Try to convert a string into a number, but the rule used is literally loose, it removes all non-numeric characters (0-9) except for + , - and . that are required to represent negative or fractional numbers. In other words, there is a great chance of a false positive. FILTER_SANITIZE_NUMBER_INT is a less restrictive version than cast :

$id = (int) $_GET['id'];

Let's say a bank record should be changed, but first let's validate the user's input.

$id = '-aaa3';
$id = filter_var($id, FILTER_SANITIZE_NUMBER_INT); //-3

$id2 = '-++';
$id2 = filter_var($id2, FILTER_SANITIZE_NUMBER_INT); //--+

Output is -3 when conversion failure should be returned.

FILTER_VALIDATE_INT

Checks whether the string is a valid integer number (otherwise it returns false, ie fails), the + and the - symbols are only allowed at startup. p>

$id = '3-';
$id = filter_var($id, FILTER_VALIDATE_INT); //false

$id = '-3';
$id = filter_var($id, FILTER_VALIDATE_INT); //-3

Code Review

The question code can start from a wrong premise and pass an incorrect result forward. For example, the 4@2 entry is not a valid integer, by applying FILTER_SANITIZE_NUMBER_INT to @ will be removed, now making the entry a valid integer ( 42 ). The return of the function will be true , but will this 42 cause any problems ahead?

The major problems with validating an integer are: do not let PHP do the numeric part of the string to avoid generating false positives and check if the input is composed only of numbers (0-9 ) or (+) signs.

is_integer() is an alias of is_int() , this function checks whether the type of the variable is int , otherwise returns false . A valid string returns false and if any conversion is done there is the problem of just getting the numeric part.

The most suitable and rigid in this case is ctype_digit() . The function forces a string to be passed, and if it is made up of only numbers (0-9) return true .

ctype_digit() has a drawback. If an integer in the range of -128 to 255 is passed, the ASCII code will be interpreted or returned false . However there is a curious way of converting an entry into string which is to put that value or variable in double quotation marks.

$id = 255;
var_dump(ctype_digit("$id")); //true
var_dump(ctype_digit($id)); //false

Related:

Why is the expression "2 + '6 apples'' equal to 8? p>

"1 ----- 1 - + - 1" is a valid integer value in PHP?

    
08.07.2016 / 17:05