Saturday, 16 May 2015

PHP Validation Filters - Avoid Security Vulnerabilities

PHP Validation Filters - Avoid Security Vulnerabilities


Data validation is a very important part of working with forms, because invalid data which you cannot directly control may lead to serious security issues.

As of PHP 5.2.0, we can now use filter functions which are enabled by default to make these filter tasks much easy. There is no installation needed to use these functions.

These PHP filters are used to validate and filter data coming from insecure sources, like user input.
  • FILTER_VALIDATE_BOOLEAN
The FILTER_VALIDATE_BOOLEAN filter validates value as a boolean option.

Return Values : True or False.

Example :  
<?php
$var = TRUE;                                                              
echo(filter_var($var, FILTER_VALIDATE_BOOLEAN));
?>
  • FILTER_VALIDATE_EMAIL
The FILTER_VALIDATE_EMAIL filter validates an e-mail address.

Example :  
<?php
$email = "vikas.patil@xyz.com";
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
  echo("$email is a valid email address");
} else {
  echo("$email is not a valid email address");
}
?>
  • FILTER_VALIDATE_FLOAT
The FILTER_VALIDATE_FLOAT filter validates a value as a float number.

Example :  
<?php
$var=52.9;
var_dump(filter_var($var, FILTER_VALIDATE_FLOAT));
?>
  • FILTER_VALIDATE_INT
The FILTER_VALIDATE_INT filter is used to validate value as integer.

It also allows us to specify a range for the integer variable.

Options :

min_range - specifies the minimum integer value
max_range - specifies the maximum integer value
Flags :

FILTER_FLAG_ALLOW_OCTAL - allows octal number values
FILTER_FLAG_ALLOW_HEX - allows hexadecimal number values.

Example : 

<?php
$int = 5;
$min = 1;
$max = 10;
$range = array("options" => array("min_range"=>$min, "max_range"=>$max));
if (filter_var($int, FILTER_VALIDATE_INT, $range) === false) {  
echo("Given value is not within the expected range");
}  else {  
echo("Given value is within the expected range");
}
?>
  • FILTER_VALIDATE_IP
The FILTER_VALIDATE_IP filter validates an IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges

Flags :  
FILTER_FLAG_IPV4 - The value must be a valid IPv4 address
FILTER_FLAG_IPV6 - The value must be a valid IPv6 address
FILTER_FLAG_NO_PRIV_RANGE - The value must not be within a private range
FILTER_FLAG_NO_RES_RANGE - The value must not be within a reserved range
Example :  
<?php
$ip = "127.0.0.1";
if (!filter_var($ip, FILTER_VALIDATE_IP) === false) {  
echo("$ip is a valid IP address");
} else {  
echo("$ip is not a valid IP address");
}
?>
  • FILTER_VALIDATE_REGEXP
The FILTER_VALIDATE_REGEXP filter validates value against a regular expression.

Option : 
         regexp - specifies the regular expression to validate against. 

Example : 
<?php
$string = "Match this string";
$options = array("options"=>array("regexp"=>"/^M(.*)/"));
var_dump(filter_var($string, FILTER_VALIDATE_REGEXP, $options));
?> 
  • FILTER_VALIDATE_URL
The FILTER_VALIDATE_URL filter validates a URL.

Flags :  
FILTER_FLAG_SCHEME_REQUIRED - URL must be RFC compliant (like http://example)
FILTER_FLAG_HOST_REQUIRED - URL must include host name (like http://universalcoders.blogspot.in/)
FILTER_FLAG_PATH_REQUIRED - URL must have a path after the domain name (like http://universalcoders.blogspot.in/2015/)
FILTER_FLAG_QUERY_REQUIRED - URL must have a query string (like http://universalcoders.blogspot.in/2015?id=529)

Example :  
<?php
$url = "http://universalcoders.blogspot.in";
if (!filter_var($url, FILTER_VALIDATE_URL) === false) {
echo("$url is a valid URL");
} else {
echo("$url is not a valid URL");
}
?>
Reference : PHP.Net Manual - PHP Validate Filters

Please leave your comments if you have any queries.