Just curious if anybody out there has been employing filter_var() in their sanitization methods.

I was planning on building one of my own using ctype*() functions, regular expressions and of course htmlentities()/strip_tags()/mysql_real_escape_string()/etc, when I stumbled across a page illustrating the functionality of filter_var().
-m

I use FILTER_VAR to check simple emails and urls, it's just using PCRE for it, like a function for it to do it for you.


( This is FILTER_VALIDATE_EMAIL, NOT SANITIZE, I haven't used that yet )
I also use filter_has_var to check if an INPUT is set,
Which checks if $_POST['email'] is set.

__________________
VillageIdiot can have my babbies ;d

Looking into it more this evening, I actually came across your topic on it from back in January. If I had noticed that earlier I would've posted there instead of bringing it up anew. About this though,

I fully understand using tried and true methods when they're already available. I also realize regular expressions can fill a book(s) by themselves, but in regards to that -- Is it better to stick with an automatic because you don't know how to drive standard, or should you learn, then drive the automatic if you choose to anyways?
-m

To counter (or, work along side!) that quote, a valid point is that people try and tackle using functions when they're not fully learned in the subject. If you're going to use anything, make sure you know how it works before stumbling over potential problems.

A classic example that I see time after time is looping through an array of items using for/foreach then simply doing a str_replace on every item within the loop. If you're not sure why that's a silly idea, the PHP Manual has all the relevant information.

Relating to this topic in particular, please be aware of the limitations (not using this term in a negative way; instead, what the filter flags can and can't do) before blindly relying on them to automagically behave as you want. FILTER_VALIDATE_EMAIL is not a catch-all solution, so must be employed as only a part of your arsenal of tools used when determining if an email address is valid or allowable within the realms of your application requirements.

Examples of email addresses which will successfully pass through FILTER_VALIDATE_EMAIL include:

• #@-.-
• +@127.0.0.1
• admin@server.local
• "Mr Salathe"@talkphp.com

I'm fairly sure that you wouldn't be wanting those kinds of addresses getting into your applications.

All that said, many of the home-brewed regular expression solutions out there for this task are equally, or even more, loose with what they allow and disallow.

Call me curious, but is that because

is exactly the same as doing

?? That's all I could figure out after reading the manual, but if there's something more obvious I missed, don't hold back! I like it when people tell me how things work, it saves me the time of doing any physical labour, and I get extra couch surfing minutes at the end of my day.

I found some other unhappy people with filter_var, somebody pointed out a flaw in FILTER_SANITIZE_NUMBER_FLOAT, and the PHP developers marked it bogus, etc. I think I'll stick with my own routines, I may not be a great coder or anything but the thing I like about DIY is that when it breaks, you can FIY.

I'm also happy to point out that none of those emails make it through my regex.

no, its not the same
$_GET is an array, $value it's just a value from that array...

__________________
http://feudal-times.net - My PBB Game
http://gwphp.feudal-times.net - My Blog "Gaming With PHP"

associative Array. ;)

__________________
VillageIdiot can have my babbies ;d

I know. Look at the code again, they both return the exact same result in $new.
-m

right.
my bugs :S

__________________
http://feudal-times.net - My PBB Game
http://gwphp.feudal-times.net - My Blog "Gaming With PHP"

delayedinsanity, yes that was my point. There's no need to loop through items for a simple replace when you can feed the array into str_replace as an argument and achieve the same result. However, I see it over and over again where people loop through an array exactly like the first code snippet you posted.

I like looping. It gives me a feeling of power, and makes a nice klipity klop sound.

why use filter_var for inputs? just curious.

filter_input

I have to agree with salathe on this, anything that seems to be a 'catch all' as he said, should be treated with caution before allowing your applications to become dependant on it.

__________________
mysql> SELECT * FROM `users` WHERE `users`.`clue` > 0;
Empty set (0.00 sec)

I'm not, I was asking if anybody else was. filter_var() and filter_input() are pretty much identical except for the obvious, and I was asking in particular about filter_var in the sense that it would be employed as part of the sanitization method, not used as the only method.

Since then I've decided against it and wrote a method in my forms class that undoes magic_quotes_gpc (my host has it on), cleans it in one of three ways dependent on arguments I give it, then uses a combination of ctype functions and regular expressions to do the validation.
-m

Regular expressions are the way to go in my opinion. You have full control over what *exactly* you want to allow and what not. Moreover, I once benchmarked my email regex against filter_var and the last one was slower.

See Kohana source for email regex. It is in valid::email().

Or check: Comparing E-mail Address Validating Regular Expressions

__________________
Kohana - PHP5 framework

Not that a few milliseconds will matter too much in many of the scripts I'm writing as of right now, but have you ever benchmarked ctype against their equivalent regex's?
-m