PHP 5.4.36 Released

除去フィルタ

除去フィルタの一覧
ID 名前 オプション フラグ 説明
FILTER_SANITIZE_EMAIL "email"     英字、数字および !#$%&'*+-/=?^_`{|}~@.[] 以外のすべての文字を取り除きます。
FILTER_SANITIZE_ENCODED "encoded"   FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH 文字列を URL エンコードします。オプションで、 特殊文字を取り除いたりエンコードしたりします。
FILTER_SANITIZE_MAGIC_QUOTES "magic_quotes"     addslashes() を適用します。
FILTER_SANITIZE_NUMBER_FLOAT "number_float"   FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC 数字、+- および オプションで .,eE 以外のすべての文字を取り除きます。
FILTER_SANITIZE_NUMBER_INT "number_int"     数字、プラス記号、マイナス記号 以外のすべての文字を取り除きます。
FILTER_SANITIZE_SPECIAL_CHARS "special_chars"   FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH '"<>& および ASCII 値が 32 未満の文字を HTML エスケープします。オプションで、 特殊文字を取り除いたりエンコードしたりします。
FILTER_SANITIZE_FULL_SPECIAL_CHARS "full_special_chars"   FILTER_FLAG_NO_ENCODE_QUOTES, htmlspecialchars()ENT_QUOTES を指定してコールするのと同じです。 クォートのエンコードを無効にするには FILTER_FLAG_NO_ENCODE_QUOTES を設定します。 htmlspecialchars() と同様、このフィルタは default_charset に対応しています。 現在の文字セットで無効な文字となるバイトシーケンスが検出されると文字列全体を拒否し、 結果は長さ 0 の文字列となります。 このフィルタをデフォルトのフィルタとして使う場合は、以下の警告を参考にして デフォルトのフラグを 0 に設定しましょう。
FILTER_SANITIZE_STRING "string"   FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP タグを取り除きます。オプションで、 特殊文字を取り除いたりエンコードしたりします。
FILTER_SANITIZE_STRIPPED "stripped"     "string" フィルタのエイリアス。
FILTER_SANITIZE_URL "url"     英字、数字および $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&= 以外のすべての文字を取り除きます。
FILTER_UNSAFE_RAW "unsafe_raw"   FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP 何もせず、オプションで特殊文字を取り除いたりエンコードしたりします。 FILTER_DEFAULT は、このフィルタのエイリアスです。

警告

これらのフィルタのいずれかを ini ファイルやウェブサーバーの設定でデフォルトフィルタとして使用すると、 デフォルトのフラグは FILTER_FLAG_NO_ENCODE_QUOTES となります。 デフォルトでクォートをエンコードさせるには、 明示的に filter.default_flags を 0 としなければなりません。

例1 デフォルトのフィルタを htmlspecialchars と同様の挙動にする設定

filter.default = full_special_chars
filter.default_flags = 0

add a note add a note

User Contributed Notes 9 notes

up
16
googlybash24 at aol dot com
2 years ago
Remember to trim() the $_POST before your filters are applied:

<?php

// We trim the $_POST data before any spaces get encoded to "%20"

// Trim array values using this function "trim_value"
function trim_value(&$value)
{
   
$value = trim($value);    // this removes whitespace and related characters from the beginning and end of the string
}
array_filter($_POST, 'trim_value');    // the data in $_POST is trimmed

$postfilter =    // set up the filters to be used with the trimmed post array
   
array(
           
'user_tasks'                        =>    array('filter' => FILTER_SANITIZE_STRING, 'flags' => !FILTER_FLAG_STRIP_LOW),    // removes tags. formatting code is encoded -- add nl2br() when displaying
           
'username'                            =>    array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW),    // we are using this in the url
           
'mod_title'                            =>    array('filter' => FILTER_SANITIZE_ENCODED, 'flags' => FILTER_FLAG_STRIP_LOW),    // we are using this in the url
       
);

$revised_post_array = filter_var_array($_POST, $postfilter);    // must be referenced via a variable which is now an array that takes the place of $_POST[]
echo (nl2br($revised_post_array['user_tasks']));    //-- use nl2br() upon output like so, for the ['user_tasks'] array value so that the newlines are formatted, since this is our HTML <textarea> field and we want to maintain newlines
?>
up
3
david dot drakulovski at gmail dot com
9 months ago
Here is a simpler and a better presented ASCII list for the <32 or 127> filters
(if wikipedia confused the hell out of you):

http://www.danshort.com/ASCIImap/
up
5
galvao at galvao dot eti dot br
1 year ago
Just to clarify, since this may be unknown for a lot of people:

ASCII characters above 127 are known as "Extended" and they represent characters such as greek letters and accented letters in latin alphabets, used in languages such as pt_BR.

A good ASCII quick reference (aside from the already mentioned Wikipedia article) can be found at: http://www.asciicodes.com/
up
5
adellemfrank at hotmail dot com
2 years ago
A good list of which ASCII characters are < 32 and > 127 can be found at: http://en.wikipedia.org/wiki/ASCII#ASCII_printable_characters
up
1
marcus at synchromedia dot co dot uk
5 years ago
It's not entirely clear what the LOW and HIGH ranges are. LOW is characters below 32, HIGH is those above 127, i.e. outside the ASCII range.

<?php
$a
= "\tcafé\n";
//This will remove the tab and the line break
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);
//This will remove the é.
echo filter_var($a, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
?>
up
-1
Anonymous
1 year ago
Support for FILTER_SANITIZE_FULL_SPECIAL_CHARS was added from version 5.3.3
up
-5
scamber256 at hotmail dot de
3 years ago
Just a hint I tested,

You can obtain all the chars <32 (so newline and c.return), by using not operator > !FILTER_FLAG_STRIP_LOW as the last argument.

Example:
filter_input(INPUT_GET,'test',FILTER_SANITIZE_STRING,!FILTER_FLAG_STRIP_LOW);

The filter keeps working as before removing anything else as before apart from FILTER_FLAG_STRIP_LOW.
Just filter those "bad" chars <32 manually you don't want.
up
-8
Dmitry Snytkine
3 years ago
Beware that FILTER_FLAG_STRIP_LOW strips NEWLINE and TAG and CARRIAGE RETURN chars. If you have a form that accepts user input in plaintext format, all the submitted text will lose all the line breaks, making it appear all on one line. This basically renders this filter useless for parsing user-submitted text, even in plain text.
up
-8
googlybash24 at aol dot com
2 years ago
This should help with most simple "textarea" fields in post forms.

Removing user html tags while maintaining text formatting such as newlines and carriage returns involves using the FILTER_SANITIZE_STRING filter ID with the flag !FILTER_FLAG_STRIP_LOW. The formatting text (the low ASCII values under decimal 32) are encoded because of the included FILTER_FLAG_ENCODE_LOW flag, but you are now preventing these from being removed. When you want to display the value on the page back in its intended format, use nl2br() so the encoded newlines are formatted properly on the page.

This example cleans $_POST data from a textarea field with the name "user_tasks" on a previous html form, stripping tags but maintaining formatting (at least for newlines):

<?php
$postfilter
=
    array(
           
'user_tasks'    =>    array('filter' => FILTER_SANITIZE_STRING, 'flags' => !FILTER_FLAG_STRIP_LOW),    // removes tags. formatting code is encoded -- add nl2br() when displaying
       
);

$revised_post_array = filter_input_array(INPUT_POST, $postfilter);    // must be referenced via a variable which is now an array that takes the place of $_POST[]
echo (nl2br($revised_post_array['user_tasks']));    // here we use nl2br() for the displayed value, for the ['user_tasks'] array value so that the newlines are formatted
?>
To Top