What is the difference between Sanitize and filter in PHP?

Question

What is the difference between Sanitize and filter in PHP?

Asked 7 years, 11 months ago

Viewed 4,628 times

6

Making a safety class for PHP I noticed the existence of two similar constants, like: FILTER_SANITIZE_NUMBER_INT and FILTER_VALIDATE_INT.

The standard follows in validations of email, string and others. What is the difference between these two constants? When to use one or the other?

The following method would be 'correct' for a more secure validation?

public static function int($name)
{
    $_POST[$name] = filter_input(INPUT_POST, $name, FILTER_SANITIZE_NUMBER_INT);

    if(filter_var($_POST[$name], FILTER_VALIDATE_INT))
        return true;
    return false;
}

There are standard methods in PHP, as is_int() and is_integer(), but seems to be less reliable. (I’m not sure)

1 answer

Browser other questions tagged php security-guard validation data-entry

You are not signed in. Login or sign up in order to post.

by rray • **66,288** points · Answer 1 · 2016-07-08T15:05:29+00:00

The difference between FILTER_SANITIZE_* and FILTER_VALIDATE_*, is that the first tries to 'convert' an entry into a specific 'safe' format using well-specified rules. This modification does not guarantee a valid output. The second one checks whether the input is within the established standard (int, email, ip etc).

It is important to consult the documentation (in English) before using these constants in conjunction with their respective functions, as their treatment criterion may be totally different from that provided by the language, see examples below.

FILTER_SANITIZE_NUMBER_INT

Tries to convert a string in a number however the rule used is literally loose, it removes all non-numeric characters (0-9) except symbols +, - and . that are necessary to represent negative or fractional numbers. That is, there is a high chance of a false positive. FILTER_SANITIZE_NUMBER_INT is a less restrictive version than cast:

$id = (int) $_GET['id'];

Let’s say a bank record should be changed, but first let’s validate the user entry.

$id = '-aaa3';
$id = filter_var($id, FILTER_SANITIZE_NUMBER_INT); //-3

$id2 = '-++';
$id2 = filter_var($id2, FILTER_SANITIZE_NUMBER_INT); //--+

The output is -3 when should be returned conversion failure.

FILTER_VALIDATE_INT

Checks whether the string passed is a valid integer number (otherwise returns false, i.e. + and less - are allowed only at the beginning.

$id = '3-';
$id = filter_var($id, FILTER_VALIDATE_INT); //false

$id = '-3';
$id = filter_var($id, FILTER_VALIDATE_INT); //-3

Code Review

The question code can start from a wrong premise and pass an incorrect result forward. For example, the input 4@2 is not a valid integer when applying FILTER_SANITIZE_NUMBER_INT to @ will be removed, now making the entry in a valid integer(42). The return of the function will be true, however, this 42 will cause some problem forward?

The biggest problems to validate an integer are: don’t let PHP convert the numeric part of string not to generate false positives and check if input is composed only by numbers (0-9) or signals (-+).

is_integer() is an alias of is_int(), this function checks whether the variable type is int, otherwise returns false. One string valid numeric returns false and if any conversion is made there is the problem of taking only the numerical part.

The most appropriate and rigid in this case is ctype_digit(). The function requires that a string is passed, and if it is composed of only numbers (0-9) return true.

ctype_digit() has an inconvenience. If an integer in the range -128 to 255 is passed, the ASCII code will be interpreted or returns false. However there is a curious way to convert an entry into string which is to put this value or variable between double quotes.

$id = 255;
var_dump(ctype_digit("$id")); //true
var_dump(ctype_digit($id)); //false

Related:

Why in PHP the expression "2 + '6 apples'" is 8?

"1-----1-+--1" is a valid integer value in PHP?