不推荐使用常量 FILTER_SANITIZE_STRING

2021-12-23 00:00:00 filter php php-8.1 sanitization

我已经安装了 PHP 8.1 并开始测试我的旧项目.我使用了过滤器 FILTER_SANITIZE_STRING 像这样:

I have installed PHP 8.1 and I started testing my old project. I have used the filter FILTER_SANITIZE_STRING like so:

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);

现在我收到此错误:

已弃用:不推荐使用常量 FILTER_SANITIZE_STRING

Deprecated: Constant FILTER_SANITIZE_STRING is deprecated

当我使用 FILTER_SANITIZE_STRIPPED 时也会发生同样的情况:

The same happens when I use FILTER_SANITIZE_STRIPPED:

已弃用:不推荐使用常量 FILTER_SANITIZE_STRIPPED

Deprecated: Constant FILTER_SANITIZE_STRIPPED is deprecated

我可以用什么代替它?

推荐答案

这是一个用途可疑的过滤器.很难说它究竟要完成什么任务或何时应该使用它.由于其名称,它也与默认字符串过滤器混淆,而实际上默认字符串过滤器称为 FILTER_UNSAFE_RAW.PHP 社区决定不再支持使用此过滤器.

This was a filter of dubious purpose. It's difficult to say what it was meant to accomplish exactly or when it should be used. It was also confused with the default string filter, due to its name, when in reality the default string filter is called FILTER_UNSAFE_RAW. The PHP community decided that the usage of this filter should not be supported anymore.

此过滤器的行为非常不直观.它删除了 < 和字符串结尾之间或直到下一个 > 之间的所有内容.它还删除了所有 NUL 字节.最后,它将 '" 编码到它们的 HTML 实体中.

The behaviour of this filter was very unintuitive. It removed everything between < and the end of the string or until the next >. It also removed all NUL bytes. Finally, it encoded ' and " into their HTML entities.

如果你想更换它,你有几个选择:

If you want to replace it, you have a couple of options:

  1. 使用不进行任何过滤的默认字符串过滤器 FILTER_UNSAFE_RAW.如果您对 FILTER_SANITIZE_STRING 的行为一无所知,而您只想使用一个默认过滤器来为您提供字符串值,则应该使用它.

  1. Use the default string filter FILTER_UNSAFE_RAW that doesn't do any filtering. This should be used if you had no idea about the behaviour of FILTER_SANITIZE_STRING and you just want to use a default filter that will give you the string value.

如果您使用此过滤器来防御 XSS 漏洞,请将其替换为 htmlspecialchars().不要在输入数据上调用此函数.为了防止 XSS,您需要对输出进行编码!

If you used this filter to protect against XSS vulnerabilities, then replace its usage with htmlspecialchars(). Don't call this function on the input data. To protect against XSS you need to encode the output!

如果您确切地知道该过滤器的作用并且想要创建一个 polyfill,则可以使用正则表达式轻松完成.

If you knew exactly what that filter does and you want to create a polyfill, you can do that easily with regex.

function filter_string_polyfill(string $string): string
{
    $str = preg_replace('/x00|<[^>]*>?/', '', $string);
    return str_replace(["'", '"'], ['&#39;', '&#34;'], $str);
}

相关文章