我正在执行相当广泛的数据库插入前过滤器列表,我对代码的长度和丑陋感到非常沮丧:
/*******************************************************************
* START OF sanitising input
********************************************************************/
// main user inputs
$title = filter_var($place_ad['title'], FILTER_SANITIZE_STRING);
$desc = filter_var($place_ad['desc'], FILTER_SANITIZE_SPECIAL_CHARS);
$cat_1 = filter_var($place_ad['cat_1'], FILTER_SANITIZE_NUMBER_INT);
$cat_2 = filter_var($place_ad['cat_2'], FILTER_SANITIZE_NUMBER_INT);
$cat_3 = filter_var($place_ad['cat_3'], FILTER_SANITIZE_NUMBER_INT);
$price = filter_var($place_ad['price'], FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
$suffix = filter_var($place_ad['suffix'], FILTER_SANITIZE_STRING);
// check input
if(empty($title) || strlen($title) < 3 || strlen($title) > 100) { $error[] = 'Title field empty, too long or too short.'; }
if(empty($desc) || strlen($desc) < 3 || strlen($place_ad['desc']) > 5000) { $error[] = 'Description field empty, too long or too short.'; }
if(empty($cat_1) || empty($cat_2)) { $error[] = 'You did not select a category for your listing.'; }
if(empty($price) || $price < 0 || $price > 1000000) { $error[] = 'Price field empty, too low or too high.'; }
// google location stuff
$lat = filter_var($place_ad['lat'], FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
$lng = filter_var($place_ad['lng'], FILTER_SANITIZE_NUMBER_FLOAT,FILTER_FLAG_ALLOW_FRACTION);
$formatted_address = filter_var($place_ad['formatted_address'], FILTER_SANITIZE_STRING);
// check input
if(empty($lat) || empty($lng)) { $error[] = 'Location error. No co-ordinates for your location.'; }
// account type
$registered = filter_var($place_ad['registered'], FILTER_SANITIZE_NUMBER_INT);
// money making extras
$extras = filter_var($place_ad['extras'], FILTER_SANITIZE_NUMBER_INT); //url encoded string
$icons = filter_var($place_ad['icons'], FILTER_SANITIZE_STRING); //url encoded string
$premium= filter_var($place_ad['premium'], FILTER_SANITIZE_NUMBER_INT); //numeric float;
$bump = filter_var($place_ad['bump'], FILTER_SANITIZE_NUMBER_INT); //numeric float;
// user details field
if ($registered == '1') // Registering as new user
{
$type = filter_var($place_ad['n_type'], FILTER_SANITIZE_NUMBER_INT);
$name = filter_var($place_ad['n_name'], FILTER_SANITIZE_STRING);
$phone = filter_var($place_ad['n_phone'], FILTER_SANITIZE_STRING);
$email = filter_var($place_ad['n_email'], FILTER_SANITIZE_EMAIL);
$pass = filter_var($place_ad['n_password'], FILTER_UNSAFE_RAW);
if(empty($type)) { $error[] = 'Type field error.'; }
if(empty($name) || strlen($name) > 100) { $error[] = 'You did not enter your name or name too long.'; }
if(empty($email) || strlen($email) < 5 || strlen($email) > 100) { $error[] = 'You did not enter a valid email.'; }
if(!filter_var($email, FILTER_VALIDATE_EMAIL)) { $error[] = 'You did not enter a valid email.'; }
if(empty($pass) || strlen($pass) < 6 || strlen($pass) > 100) { $error[] = 'Your password must be at least 6 characters.'; }
}
elseif ($registered =='2') // registered user
{
$email = filter_input($place_ad['n_email'], FILTER_SANITIZE_EMAIL);
$pass = filter_input($place_ad['n_password'], FILTER_UNSAFE_RAW);
if(empty($email) || strlen($email) < 5 || strlen($email) > 100) { $error[] = 'You did not enter a valid email.'; }
if(empty($pass) || strlen($pass) < 6 || strlen($pass) > 100) { $error[] = 'Your password must be at least 6 characters.'; }
}
elseif ($registered == '3') // dont wanna register details
{
$name = filter_input($place_ad['n_name'], FILTER_SANITIZE_STRING);
$phone = filter_input($place_ad['n_phone'], FILTER_SANITIZE_STRING);
$email = filter_input($place_ad['n_email'], FILTER_SANITIZE_EMAIL);
if(empty($name) || strlen($name) > 100) { $error[] = 'You did not enter your name or name too long.'; }
if(empty($email) || strlen($email) < 5 || strlen($email) > 100) { $error[] = 'You did not enter a valid email.'; }
}
/*******************************************************************
* END OF Sanitising input
********************************************************************/
我认为我的很多代码都是“不必要的”,但我认为如果我要删除它可能是不好的编码习惯。
例如,FILTER_SANITIZE_NUMBER
当数据库正确设置了INT/FLOAT
字段时,我可以放弃所有的 * 过滤器。
我也可以放弃很多“大于>”检查,因为其中大多数只是为了防止用户输入大量数据(这将再次受到数据库字段长度的限制)。
其他人都有这么丑陋的用户输入验证代码吗?
- - - - - - - - - 编辑 - - - - - - - - - - -
非常感谢您提供的信息。当我使用 PDO 时,我想我可能会尝试进一步压缩它,但我可以问以下问题:
- 对于用户不容易破坏输入的单选按钮和选择框等输入字段,您是否认为仅绑定 PDO 常量就足够了?这些值与数据库中的 enum 和 tinyint(1) 字段相关联,并且在表单规范之外操作这些值不会允许用户实现任何目标。
- 我还使用 filter_var 使用户输入适合在 UTF8 编码页面上显示。我相信这实际上只将 <> 和几个其他字符编码到它们的实体中。只使用 htmlentities 会更好吗?