What is the difference between sanitize and filter in PHP?
Doing a security class for PHP I noticed the existence of two similar constants, like:
FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT.
The default follows in email validations, string and others. What is the difference between these two constants? When to use one or the other?
Would the following method be 'correct' for more secure validation?
public static function int($name)
{
$_POST[$name] = filter_input(INPUT_POST, $name, FILTER_SANITIZE_NUMBER_INT);
if(filter_var($_POST[$name], FILTER_VALIDATE_INT))
return true;
return false;
}
There are standard methods in PHP, such as is_int() and is_integer(), but it seems to be less reliable. (I'm not sure)
1 answers
The difference between FILTER_SANITIZE_* e FILTER_VALIDATE_*, it is that the first tries to 'convert' an entry into a specific 'safe' format using very specific rules. This modification does not guarantee a valid output. The second checks if the input is within the established standard (int , email, ip etc).
It is very important to consult the documentation (in English) before using these constants in conjunction with the respective functions, since their treatment criterion can be totally different from that provided by the language, see examples below.
FILTER_SANITIZE_NUMBER_INT
Tries to convert a string into a number but the rule used is literally loose, it removes all non-numeric characters (0-9) except the symbols +, - and . which are required to represent negative or fractional numbers. That is, there is a great chance of a false positive. FILTER_SANITIZE_NUMBER_INT is a version less restrictive than cast :
$id = (int) $_GET['id'];
Let's say a bank record must be changed, but first let's validate the user input.
$id = '-aaa3';
$id = filter_var($id, FILTER_SANITIZE_NUMBER_INT); //-3
$id2 = '-++';
$id2 = filter_var($id2, FILTER_SANITIZE_NUMBER_INT); //--+
The output is -3 When conversion failure should be returned.
FILTER_VALIDATE_INT
Checks if the string passed is a valid integer number (otherwise returns false, i.e. fails), the symbols of + and less - are allowed only in the beginning.
$id = '3-';
$id = filter_var($id, FILTER_VALIDATE_INT); //false
$id = '-3';
$id = filter_var($id, FILTER_VALIDATE_INT); //-3
Code Review
The question Code can start from a wrong premise and pass an incorrect result forward. For example, the input 4@2 is not a valid integer, applying FILTER_SANITIZE_NUMBER_INT to @ will be removed, now making the input a valid integer(42). The return of the function will be true, however, this 42 will cause any problems forward?
The biggest problems with validating an integer are: not letting PHP do the conversion of the numeric part of the string so as not to generate false positives and check if input is composed only of numbers (0-9) or signs (-+).
is_integer() it is an alias of is_int(), this function checks if the type of the variable is int, otherwise returns false. A valid numeric string returns false and if any conversion is done there is the problem of taking only the numeric part.
The most suitable and rigid in this case is ctype_digit(). The function forces a string to be passed, and if it consists of only numbers (0-9) it returns true.
ctype_digit() it has one drawback. If an integer in the range -128 to 255 is passed, the ASCII code is interpreted, i.e. returns false. However, there is a curious way to convert an entry into string which is to put that value or variable in quotes double.
$id = 255;
var_dump(ctype_digit("$id")); //true
var_dump(ctype_digit($id)); //false
Related: