2

I've got a function that takes a filter constant for filter_input as an optional parameter. Is it possible to make sure the value of the string is a valid PHP filter constant, perhaps with a built in PHP function?

I know one way is to make my own array of all filter constants and check against that, but I was hoping for an easier or better way.

Bruno Leveque
  • 2,647
  • 2
  • 23
  • 33
Brack
  • 333
  • 2
  • 14
  • [`defined()`](https://www.php.net/manual/en/function.defined.php), but what you are looking for is some kind of whitelist. – Dharman May 10 '19 at 15:51
  • Please sse [`filter_list()`](https://php.net/filter_list) and [`filter_id()`](https://php.net/filter_id) in the PHP manual – hakre May 10 '19 at 18:58

2 Answers2

2

You could verify against the list of filters:

$valid = in_array($filter, filter_list(), true);

Where $filter contains the user supplied filter value and $valid the result as a bool (true if valid, false if invalid).

See filter_list() in the PHP manual for more details.

hakre
  • 193,403
  • 52
  • 435
  • 836
  • Thanks I think this will work well. `filter_list()` is good to know about and didn't come up in my Googling. – Brack May 11 '19 at 19:38
  • @track: you're welcome. next to googling, I find it often worth to browse and read the related section in the PHP manual e.g. the list of functions of the extension. This is how I discovered this one. There is an additional way which is using reflection to get all constants from a PHP extension: https://www.php.net/manual/en/reflectionextension.getconstants.php - it works for every extension however it's not really appropriate in your case compared with `filter_list()`. – hakre May 11 '19 at 20:12
1

I was able to achieve this by using the get_defined_constants() PHP built-in function, which list all predefined PHP constants.

Solution:

The code below will store all the allowed filters into an array and allow you to check any filter's validity via the check_filter() function.

<?php

$constants = get_defined_constants();
$allowed_filters = array();
foreach ($constants as $c => $val)
    if (substr($c, 0, 7) == 'FILTER_')
        $allowed_filters[$c] = 1;

function check_filter($filter_name, $allowed_filters) { return isset($allowed_filters[$filter_name]); }

var_dump(check_filter('FILTER_SANITIZE_EMAIL', $allowed_filters)); // true
var_dump(check_filter('FILTER_TEST', $allowed_filters)); // false
var_dump(check_filter('PHP_VERSION', $allowed_filters)); // false, even though constant exists

I hope this helps!

Bruno Leveque
  • 2,647
  • 2
  • 23
  • 33
  • A whiteliste perhaps is still more precise, just looking for the `FILTER_` prefix will allow flags as well, see https://3v4l.org/r7gSm – hakre May 10 '19 at 18:38
  • Yes I did this at first but there's a lot of filters available and new ones added into almost every new major version of PHP. – Bruno Leveque May 10 '19 at 18:38
  • Not only that, there is also relation between filters and their flags, options and further parameters. This does not very well map 1:1. Anyway for the answer you give, you pass the name of the constant however I did read the question of the OP to check against a constants value (not it's name). Also for the answer you give, see as well https://stackoverflow.com/a/12482518/367456 – hakre May 10 '19 at 18:43