by Marc Plotz
You may have noticed that I have mentioned in one of my previous articles that PHP’s biggest weakness lies in its simplicity. But don’t for one second get me wrong –
I am a PHP developer, and I will be until the day I die. But there is good code, and there is bad code. This article will teach you how to ensure that your code falls into the good category.
I am a PHP developer, and I will be until the day I die. But there is good code, and there is bad code. This article will teach you how to ensure that your code falls into the good category.
Perhaps some of the most amusing discussions I have seen in developer forums are the ones debating whether PHP is a “REAL” programming language or not. Apparently it is said that PHP will never have the power of Java, because PHP is a loosely typed language. Well, yeah. What you do need to remember though is that PHP was never designed to be a clone of Java. PHP is not a solid-state system. It runs for a fraction of a second–while
the page is loading–and then it stops running. That is it. This is the reason that there are things like GET, POST and SESSION in PHP: in a non-solid-state system you need to carry information from one page to the next. So PHP does what it was designed to do. Now the point i’m trying to make here is that yes, PHP is a loosely typed language–IF YOU CODE IT TO BE LIKE THAT. It is up to the person designing and implementing the system to decide from the beginning whether he is going to do this properly or not. The same applies to your validation techniques.
the page is loading–and then it stops running. That is it. This is the reason that there are things like GET, POST and SESSION in PHP: in a non-solid-state system you need to carry information from one page to the next. So PHP does what it was designed to do. Now the point i’m trying to make here is that yes, PHP is a loosely typed language–IF YOU CODE IT TO BE LIKE THAT. It is up to the person designing and implementing the system to decide from the beginning whether he is going to do this properly or not. The same applies to your validation techniques.
Validation is perhaps the most important thing you can do on a website. Forgetting to validate absolutely every part of your website or application that interacts with a user is probably the most common mistake you can make. I know from my own experience that validation can be a pain. Usually in my mind this huge grapevine of a SWITCH starts to emerge whenever someone starts talking about validation. If that is happening to you right now, sit back and relax: PHP has built-in validation functions just ready for you to use.
PHP Filters are an extention of PHP that help you to easily – and reliably – validate variables and strings, so that you will hopefully never have something
like this happening again:
like this happening again:
<?php include($_GET['filename']); ?>
or, even worse,
<?php
mysql_query("INSERT INTO table (field) VALUES ({$_POST['value']})");
?>
Filtering Variables
To use the filter extention to filter variables, you use the filter_var() function. Let us try to validate the following as in integer, for example.
$variable = 1122; echo filter_var($variable, FILTER_VALIDATE_INT);
