Is this type of security validation validated? (Varios if verifying if the VALIDATE is true)

Asked

Viewed 75 times

1

The following is correct to validate whether input values are validated?

if(!empty($_POST))
{
    if(filter_input(INPUT_POST, 'hemocomponenteBolsa', FILTER_VALIDATE_INT))
    {
        if(filter_input(INPUT_POST, 'grupoSanguineoBolsa', FILTER_VALIDATE_INT))
        {
            if(filter_input(INPUT_POST, 'fatorRHBolsa', FILTER_VALIDATE_INT))
            {
                if(filter_input(INPUT_POST, 'dtVencimento', FILTER_SANITIZE_STRING))
                {
                    if(filter_input(INPUT_POST, 'statusBolsa', FILTER_VALIDATE_INT))
                    {
                        #CÓDIGO
                    }
                }
            }
        }
    }
else
{
    $_SESSION['msg'] = "<div class='alert alert-danger'><b>Atenção!</b>
                         Falha ao cadastrar. (Erro 007)</div>";
    header("Location: ../view/novaBolsa.php");
}

In the case here, I have removed several fields for the purpose of learning, but I have 12 inputs to be received, then I would 12 times if(...), it is correct to do it the previous way or it would slow the system down?

php
  • 1

    Construct an array and validate all with a loop

1 answer

6


Use the filter_input_array and then with in_array and array_values check if there is any value FALSE in values, example:

<?php

    $filters = [
        'hemocomponenteBolsa' => FILTER_VALIDATE_INT, 
        'grupoSanguineoBolsa' => FILTER_VALIDATE_INT,
        'fatorRHBolsa' => FILTER_VALIDATE_INT,
        'statusBolsa' => FILTER_VALIDATE_INT,
        'dtVencimento' => FILTER_SANITIZE_STRING
    ];

    $result = filter_input_array(INPUT_POST, $filters);

    if (!in_array(FALSE, array_values($result), TRUE)
    {
        //#Codigo
        //A variavel $result tem os valores corretos
        $result['hemocomponenteBolsa'];
    }

do not forget that the configuration was inserted inside a array with the variables that come from your with the filters configured and there are other ways to set up, this is the simplest.

So your code would be very easy to maintain, inserting or removing other fields only in the variable array $filters, and do not need to write so many decision structures (if) that are unnecessary in this case and hinder the understanding of the code and its maintenance.

In case you wanted the field dtVencimento, can pass without value would have to mount an auxiliary function and in it if there is value, make the filter by the filter_var and if you wouldn’t send the default value, example:

<?php

    function testString($value)
    {
        if (mb_strlen($value) > 0)
        {
            return filter_var($value, FILTER_SANITIZE_STRING);
        }
        return "";
    }

    $filters = [
        'hemocomponenteBolsa' => FILTER_VALIDATE_INT, 
        'grupoSanguineoBolsa' => FILTER_VALIDATE_INT,
        'fatorRHBolsa' => FILTER_VALIDATE_INT,
        'statusBolsa' => FILTER_VALIDATE_INT,
        'dtVencimento' => array('filter' => FILTER_CALLBACK,'options' => "testString")
    ];

    $result = filter_input_array(INPUT_POST, $filters);

    if (!in_array(FALSE, array_values($result), TRUE)
    {
        //#Codigo
        //A variavel $result tem os valores corretos
        $result['hemocomponenteBolsa'];
    }

References

  • Very good answer Virgilio! I just had a small problem, I have an input (remarks) that can come a string or it can not see anything, empty in case, which filter could I use? Using your idea, it looked like this: $filters = ['hemocomponenteBolsa' => FILTER_VALIDATE_INT,&#xA; 'grupoSanguineoBolsa' => FILTER_VALIDATE_INT,&#xA; ...&#xA; 'obsBolsa' => FILTER_SANITIZE_STRING&#xA;]; Only if I use FILTER_SANITIZE_STRING and it comes empty, you will find a false, how could I do it? I tried to manually assign a default value if the variable came empty, but it didn’t work.

  • @Gabrielq. I did the editing with a more code style! .

  • 1

    Excellent answer Virgil! I managed to implement your codes and your ideas in my system and besides, I learned many new things in this answer. Thank you very much!

  • @Virgilionovic, change the in_array(FALSE, array_values($result)) for in_array(FALSE, array_values($result), true), that will prevent PHP from converting.

  • @Inkeliz has already been added the last word in his comment, really have to put due value 0 that may occur in some input. Thank you.

  • @Gabrielq. failed to put a sign that Inkeliz mentioned in the comments due to typing in input of a 0 would have an unexpected effect, just put TRUE in the last parameter of in_array!

Show 1 more comment

Browser other questions tagged php

You are not signed in. Login or sign up in order to post.