PHP数据验证与过滤-平芜编程栈

引言

数据验证和过滤是Web应用安全的第一道防线。PHP提供了丰富的内置过滤函数和验证工具，结合自定义规则可以构建完善的验证系统。

PHP内置过滤器

filter_var和filter_var_array是PHP提供的基础验证工具。

class FilterValidator
{
// 验证标量值
public static function validateEmail(string $email): bool
{
return filter_var($email, FILTER_VALIDATE_EMAIL) !== false;
}

public static function validateUrl(string $url): bool
{
$valid = filter_var($url, FILTER_VALIDATE_URL);
if ($valid === false) {
return false;
}

$scheme = parse_url($url, PHP_URL_SCHEME);
return in_array($scheme, ['http', 'https', 'ftp'], true);
}

public static function validateIp(string $ip, bool $allowPrivate = false): bool
{
$flags = 0;
if (!$allowPrivate) {
$flags = FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE;
}
$v4 = filter_var($ip, FILTER_VALIDATE_IP, $flags | FILTER_FLAG_IPV4);
$v6 = filter_var($ip, FILTER_VALIDATE_IP, $flags | FILTER_FLAG_IPV6);
return $v4 !== false || $v6 !== false;
}

public static function validateInt(mixed $value, int $min = null, int $max = null): bool
{
$options = ['flags' => FILTER_FLAG_ALLOW_OCTAL | FILTER_FLAG_ALLOW_HEX];
if ($min !== null || $max !== null) {
$options['options'] = [];
if ($min !== null) {
$options['options']['min_range'] = $min;
}
if ($max !== null) {
$options['options']['max_range'] = $max;
}
}
return filter_var($value, FILTER_VALIDATE_INT, $options) !== false;
}

public static function validateFloat(mixed $value, float $min = null, float $max = null): bool
{
$valid = filter_var($value, FILTER_VALIDATE_FLOAT) !== false;
if (!$valid) {
return false;
}
$float = (float)$value;
if ($min !== null && $float < $min) {
return false;
}
if ($max !== null && $float > $max) {
return false;
}
return true;
}

public static function validateBoolean(mixed $value): bool
{
return in_array($value, [true, false, 'true', 'false', '1', '0', 1, 0], true);
}

public static function validateRegex(string $value, string $pattern): bool
{
return preg_match($pattern, $value) === 1;
}

public static function validateInArray(mixed $value, array $allowed): bool
{
return in_array($value, $allowed, true);
}

public static function validateMac(string $address): bool
{
return filter_var($address, FILTER_VALIDATE_MAC) !== false;
}

public static function sanitizeEmail(string $email): string
{
return filter_var($email, FILTER_SANITIZE_EMAIL);
}

public static function sanitizeUrl(string $url): string
{
return filter_var($url, FILTER_SANITIZE_URL);
}

public static function sanitizeString(string $input): string
{
return filter_var($input, FILTER_SANITIZE_STRING);
}

public static function sanitizeEncoded(string $input): string
{
return filter_var($input, FILTER_SANITIZE_ENCODED);
}

public static function sanitizeSpecialChars(string $input): string
{
return filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS);
}

public static function sanitizeNumberInt(mixed $input): int
{
return (int) filter_var($input, FILTER_SANITIZE_NUMBER_INT);
}

public static function sanitizeNumberFloat(mixed $input): float
{
return (float) filter_var($input, FILTER_SANITIZE_NUMBER_FLOAT, [
'flags' => FILTER_FLAG_ALLOW_FRACTION | FILTER_FLAG_ALLOW_THOUSAND | FILTER_FLAG_ALLOW_SCIENTIFIC,
]);
}
}

printf("Email valid: %s\n", FilterValidator::validateEmail('user@example.com') ? 'yes' : 'no');
printf("Email invalid: %s\n", FilterValidator::validateEmail('not-an-email') ? 'yes' : 'no');
printf("IP valid: %s\n", FilterValidator::validateIp('192.168.1.1', false) ? 'yes' : 'no');
printf("IP (private allowed): %s\n", FilterValidator::validateIp('192.168.1.1', true) ? 'yes' : 'no');
printf("Int range: %s\n", FilterValidator::validateInt('150', 0, 100) ? 'yes' : 'no');
printf("Sanitized email: %s\n", FilterValidator::sanitizeEmail(" user@exa
// 过滤多维数组
$input = [
'name' => 'Alice',
'email' => 'alice@example.com',
'age' => '25',
'website' => 'https://alice.example.com',
'bio' => "Hello!",
];

$definitions = [
'name' => FILTER_SANITIZE_SPECIAL_CHARS,
'email' => FILTER_VALIDATE_EMAIL,
'age' => [
'filter' => FILTER_VALIDATE_INT,
'options' => ['min_range' => 18, 'max_range' => 120],
],
'website' => FILTER_VALIDATE_URL,
'bio' => FILTER_SANITIZE_STRING,
];

$result = filter_var_array($input, $definitions);
print_r($result);

// 高级验证规则引擎

构建一个声明式验证规则引擎，支持链式调用和自定义规则。

class Validator
{
private array $rules = [];
private array $errors = [];
private array $data = [];
private array $messages = [];
private bool $stopOnFailure = false;
private ?string $currentField = null;

public function __construct(array $data = [])
{
$this->data = $data;
}

public function setData(array $data): self
{
$this->data = $data;
return $this;
}

public function stopOnFailure(bool $stop = true): self
{
$this->stopOnFailure = $stop;
return $this;
}

public function messages(array $messages): self
{
$this->messages = array_merge($this->messages, $messages);
return $this;
}

public function field(string $name, string $label = null): self
{
$this->currentField = $name;
if (!isset($this->rules[$name])) {
$this->rules[$name] = [];
$this->errors[$name] = [];
}
return $this;
}

public function required(): self
{
return $this->addRule('required', function ($value) {
if ($value === null || $value === '' || $value === []) {
return false;
}
return true;
});
}

public function email(): self
{
return $this->addRule('email', function ($value) {
return filter_var($value, FILTER_VALIDATE_EMAIL) !== false;
});
}

public function url(): self
{
return $this->addRule('url', function ($value) {
return filter_var($value, FILTER_VALIDATE_URL) !== false;
});
}

public function ip(string $version = null): self
{
return $this->addRule('ip', function ($value) use ($version) {
$flags = 0;
if ($version === 'v4') {
$flags |= FILTER_FLAG_IPV4;
} elseif ($version === 'v6') {
$flags |= FILTER_FLAG_IPV6;
}
return filter_var($value, FILTER_VALIDATE_IP, $flags) !== false;
});
}

public function min(int $min): self
{
return $this->addRule('min', function ($value) use ($min) {
if (is_numeric($value)) {
return (float)$value >= $min;
}
if (is_string($value)) {
return mb_strlen($value) >= $min;
}
if (is_array($value)) {
return count($value) >= $min;
}
return false;
});
}

public function max(int $max): self
{
return $this->addRule('max', function ($value) use ($max) {
if (is_numeric($value)) {
return (float)$value <= $max;
}
if (is_string($value)) {
return mb_strlen($value) <= $max;
}
if (is_array($value)) {
return count($value) <= $max;
}
return false;
});
}

public function between(int $min, int $max): self
{
return $this->min($min)->max($max);
}

public function in(array $allowed): self
{
return $this->addRule('in', function ($value) use ($allowed) {
return in_array($value, $allowed, true);
});
}

public function notIn(array $disallowed): self
{
return $this->addRule('notIn', function ($value) use ($disallowed) {
return !in_array($value, $disallowed, true);
});
}

public function matches(string $field): self
{
return $this->addRule('matches', function ($value) use ($field) {
return isset($this->data[$field]) && $value === $this->data[$field];
});
}

public function regex(string $pattern): self
{
return $this->addRule('regex', function ($value) use ($pattern) {
return preg_match($pattern, $value) === 1;
});
}

public function alpha(): self
{
return $this->addRule('alpha', function ($value) {
return preg_match('/^[a-zA-Z]+$/', $value) === 1;
});
}

public function alphaNum(): self
{
return $this->addRule('alphaNum', function ($value) {
return preg_match('/^[a-zA-Z0-9]+$/', $value) === 1;
});
}

public function alphaDash(): self
{
return $this->addRule('alphaDash', function ($value) {
return preg_match('/^[a-zA-Z0-9_-]+$/', $value) === 1;
});
}

public function numeric(): self
{
return $this->addRule('numeric', function ($value) {
return is_numeric($value);
});
}

public function integer(): self
{
return $this->addRule('integer', function ($value) {
return filter_var($value, FILTER_VALIDATE_INT) !== false;
});
}

public function boolean(): self
{
return $this->addRule('boolean', function ($value) {
return in_array($value, [true, false, 'true', 'false', '1', '0', 1, 0], true);
});
}

public function date(string $format = 'Y-m-d'): self
{
return $this->addRule('date', function ($value) use ($format) {
$dt = \DateTime::createFromFormat($format, $value);
return $dt && $dt->format($format) === $value;
});
}

public function after(string $date): self
{
return $this->addRule('after', function ($value) use ($date) {
$valueTime = strtotime($value);
$dateTime = strtotime($date);
return $valueTime !== false && $dateTime !== false && $valueTime > $dateTime;
});
}

public function before(string $date): self
{
return $this->addRule('before', function ($value) use ($date) {
$valueTime = strtotime($value);
$dateTime = strtotime($date);
return $valueTime !== false && $dateTime !== false && $valueTime < $dateTime;
});
}

public function phone(string $country = 'CN'): self
{
return $this->addRule('phone', function ($value) use ($country) {
$patterns = [
'CN' => '/^1[3-9]\d{9}$/',
'US' => '/^\+?1?\d{10}$/',
'JP' => '/^\+?81\d{9,10}$/',
'UK' => '/^\+?44\d{10}$/',
];
$pattern = $patterns[$country] ?? $patterns['CN'];
return preg_match($pattern, $value) === 1;
});
}

public function postalCode(string $country = 'CN'): self
{
return $this->addRule('postalCode', function ($value) use ($country) {
$patterns = [
'CN' => '/^\d{6}$/',
'US' => '/^\d{5}(-\d{4})?$/',
'JP' => '/^\d{3}-\d{4}$/',
'DE' => '/^\d{5}$/',
];
$pattern = $patterns[$country] ?? $patterns['CN'];
return preg_match($pattern, $value) === 1;
});
}

public function json(): self
{
return $this->addRule('json', function ($value) {
if (!is_string($value)) {
return false;
}
json_decode($value);
return json_last_error() === JSON_ERROR_NONE;
});
}

public function distinct(): self
{
return $this->addRule('distinct', function ($value) {
if (!is_array($value)) {
return true;
}
return count($value) === count(array_unique($value));
});
}

public function size(int $size): self
{
return $this->addRule('size', function ($value) use ($size) {
if (is_string($value)) {
return mb_strlen($value) === $size;
}
if (is_array($value)) {
return count($value) === $size;
}
if (is_numeric($value)) {
return (float)$value === (float)$size;
}
return false;
});
}

public function each(callable $rule): self
{
return $this->addRule('each', function ($value) use ($rule) {
if (!is_array($value)) {
return false;
}
foreach ($value as $item) {
if (!$rule($item)) {
return false;
}
}
return true;
});
}

public function array(): self
{
return $this->addRule('array', function ($value) {
return is_array($value);
});
}

public function custom(string $name, callable $rule): self
{
return $this->addRule($name, $rule);
}

private function addRule(string $name, callable $rule): self
{
$field = $this->currentField;
if ($field === null) {
throw new RuntimeException('No field selected');
}
$this->rules[$field][] = ['name' => $name, 'rule' => $rule];
return $this;
}

public function validate(): bool
{
$this->errors = [];
$valid = true;

foreach ($this->rules as $field => $fieldRules) {
$value = $this->data[$field] ?? null;

foreach ($fieldRules as $ruleDef) {
$ruleName = $ruleDef['name'];
$rule = $ruleDef['rule'];

if (!$rule($value)) {
$this->errors[$field][] = $this->getErrorMessage($field, $ruleName);
$valid = false;

if ($this->stopOnFailure) {
return false;
}
break;
}
}
}

return $valid;
}

private function getErrorMessage(string $field, string $rule): string
{
$key = "$field.$rule";
if (isset($this->messages[$key])) {
return $this->messages[$key];
}
$defaults = [
'required' => "The $field field is required",
'email' => "The $field must be a valid email",
'url' => "The $field must be a valid URL",
'ip' => "The $field must be a valid IP address",
'min' => "The $field is too small",
'max' => "The $field is too large",
'between' => "The $field is out of range",
'in' => "The selected $field is invalid",
'matches' => "The $field confirmation does not match",
'regex' => "The $field format is invalid",
'alpha' => "The $field may only contain letters",
'alphaNum' => "The $field may only contain letters and numbers",
'numeric' => "The $field must be numeric",
'integer' => "The $field must be an integer",
'date' => "The $field is not a valid date",
];
return $defaults[$rule] ?? "The $field validation failed ($rule)";
}

public function getErrors(): array
{
return $this->errors;
}

public function getFirstError(): ?string
{
foreach ($this->errors as $field => $fieldErrors) {
if (!empty($fieldErrors)) {
return $fieldErrors[0];
}
}
return null;
}

public function getValidated(): array
{
$validated = [];
foreach ($this->rules as $field => $fieldRules) {
if (!isset($this->errors[$field]) || empty($this->errors[$field])) {
$validated[$field] = $this->data[$field] ?? null;
}
}
return $validated;
}
}

// 验证器用法
$data = [
'username' => 'alice123',
'email' => 'alice@example.com',
'password' => 'SecurePass1',
'password_confirmation' => 'SecurePass1',
'age' => 25,
'website' => 'https://alice.dev',
'bio' => 'PHP developer',
'agree' => true,
'birth_date' => '1998-05-15',
'phone' => '13800138000',
'postal_code' => '100000',
];

$validator = new Validator($data);

$validator
->field('username')
->required()->min(3)->max(30)->alphaDash()
->field('email')
->required()->email()
->field('password')
->required()->min(8)->max(64)->regex('/[A-Z]/')
->field('password_confirmation')
->required()->matches('password')
->field('age')
->required()->integer()->between(18, 120)
->field('website')
->url()
->field('bio')
->max(500)
->field('agree')
->required()->boolean()
->field('birth_date')
->required()->date('Y-m-d')->before('2008-01-01')
->field('phone')
->phone('CN')
->field('postal_code')
->postalCode('CN');

if ($validator->validate()) {
printf("Validation passed!\n");
print_r($validator->getValidated());
} else {
printf("Validation failed:\n");
foreach ($validator->getErrors() as $field => $errors) {
printf(" %s: %s\n", $field, implode(', ', $errors));
}
}

// 嵌套数组验证

class NestedValidator
{
private array $rules = [];
private array $errors = [];
private array $data = [];

public function __construct(array $data)
{
$this->data = $data;
}

public function addRule(string $path, string $label, callable $rule): self
{
$this->rules[] = compact('path', 'label', 'rule');
return $this;
}

public function validate(): bool
{
$this->errors = [];
$valid = true;

foreach ($this->rules as $ruleDef) {
$value = $this->getValue($ruleDef['path']);

if (!($ruleDef['rule'])($value)) {
$this->errors[$ruleDef['path']] = "{$ruleDef['label']} validation failed";
$valid = false;
}
}

return $valid;
}

private function getValue(string $path): mixed
{
$segments = explode('.', $path);
$current = $this->data;

foreach ($segments as $segment) {
if (is_array($current) && isset($current[$segment])) {
$current = $current[$segment];
} elseif (is_object($current) && isset($current->$segment)) {
$current = $current->$segment;
} else {
return null;
}
}

return $current;
}

public function getErrors(): array
{
return $this->errors;
}
}

// 嵌套数据验证
$complexData = [
'user' => [
'profile' => [
'name' => 'Alice',
'age' => 25,
'address' => [
'city' => 'Beijing',
'zip' => '100000',
],
],
'tags' => ['developer', 'php'],
],
'settings' => [
'notifications' => true,
'theme' => 'dark',
],
];

$nestedValidator = new NestedValidator($complexData);
$nestedValidator
->addRule('user.profile.name', 'Name', fn($v) => strlen($v) >= 2)
->addRule('user.profile.age', 'Age', fn($v) => is_int($v) && $v >= 18)
->addRule('user.profile.address.zip', 'Zip', fn($v) => preg_match('/^\d{6}$/', $v))
->addRule('user.tags', 'Tags', fn($v) => is_array($v) && count($v) > 0)
->addRule('settings.theme', 'Theme', fn($v) => in_array($v, ['light', 'dark'], true));

printf("\nNested validation: %s\n", $nestedValidator->validate() ? 'passed' : 'failed');

// 过滤规则引擎

class FilterPipeline
{
private array $filters = [];

public function add(callable $filter, string $name = null): self
{
$this->filters[] = ['fn' => $filter, 'name' => $name ?? 'filter_' . count($this->filters)];
return $this;
}

public function trim(): self
{
return $this->add(fn($v) => is_string($v) ? trim($v) : $v, 'trim');
}

public function stripTags(): self
{
return $this->add(fn($v) => is_string($v) ? strip_tags($v) : $v, 'strip_tags');
}

public function escape(): self
{
return $this->add(
fn($v) => is_string($v) ? htmlspecialchars($v, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') : $v,
'escape'
);
}

public function lower(): self
{
return $this->add(fn($v) => is_string($v) ? mb_strtolower($v) : $v, 'lower');
}

public function upper(): self
{
return $this->add(fn($v) => is_string($v) ? mb_strtoupper($v) : $v, 'upper');
}

public function ucfirst(): self
{
return $this->add(fn($v) => is_string($v) ? ucfirst($v) : $v, 'ucfirst');
}

public function digits(): self
{
return $this->add(fn($v) => is_string($v) ? preg_replace('/[^0-9]/', '', $v) : $v, 'digits');
}

public function alphanumeric(): self
{
return $this->add(
fn($v) => is_string($v) ? preg_replace('/[^a-zA-Z0-9]/', '', $v) : $v,
'alphanumeric'
);
}

public function nullIfEmpty(): self
{
return $this->add(fn($v) => ($v === '' || $v === []) ? null : $v, 'null_if_empty');
}

public function defaultValue(mixed $default): self
{
return $this->add(
fn($v) => ($v === null || $v === '') ? $default : $v,
'default_value'
);
}

public function cast(string $type): self
{
return $this->add(function ($v) use ($type) {
return match ($type) {
'int' => (int)$v,
'float' => (float)$v,
'string' => (string)$v,
'bool' => (bool)$v,
'array' => (array)$v,
default => $v,
};
}, "cast_$type");
}

public function apply(mixed $value): mixed
{
foreach ($this->filters as $filter) {
$value = $filter['fn']($value);
}
return $value;
}

public function applyAll(array $values): array
{
return array_map(fn($v) => $this->apply($v), $values);
}
}

$pipeline = new FilterPipeline();
$pipeline
->trim()
->stripTags()
->nullIfEmpty()
->defaultValue('anonymous');

$inputs = [
' Alice ',
"Bob",
' ',
'',
null,
];

foreach ($inputs as $input) {
$filtered = $pipeline->apply($input);
printf("Input: %s -> Filtered: %s\n",
var_export($input, true),
var_export($filtered, true)
);
}

// 请求数据验证（完整示例）

class RequestValidator
{
private Validator $validator;
private FilterPipeline $filters;
private array $sanitized = [];

public function __construct(array $data)
{
$this->validator = new Validator($data);
$this->filters = new FilterPipeline();
}

public function sanitize(array $fieldMap): self
{
foreach ($fieldMap as $field => $filters) {
$value = $this->getData()[$field] ?? null;
$pipeline = new FilterPipeline();
foreach ((array)$filters as $filter) {
if (is_string($filter) && method_exists($pipeline, $filter)) {
$pipeline->$filter();
} elseif (is_callable($filter)) {
$pipeline->add($filter);
}
}
$this->sanitized[$field] = $pipeline->apply($value);
}
return $this;
}

public function getData(): array
{
return $this->validator->getData();
}

public function getSanitized(): array
{
return array_merge($this->getData(), $this->sanitized);
}

public function __call(string $method, array $args): self
{
$this->validator->$method(...$args);
return $this;
}

public function validate(): bool
{
return $this->validator->validate();
}

public function getErrors(): array
{
return $this->validator->getErrors();
}
}

// 完整请求处理示例
$requestData = [
'username' => ' Alice ',
'email' => 'ALICE@EXAMPLE.COM',
'bio' => "PHP Developer",
'age' => '25',
];

$request = new RequestValidator($requestData);

$request
->sanitize([
'username' => ['trim', 'stripTags', 'alphanumeric'],
'email' => ['trim', 'lower'],
'bio' => ['trim', 'stripTags', 'escape'],
'age' => ['trim', 'digits', 'cast' => 'int'],
])
->field('username')->required()->min(3)->max(30)->alphaNum()
->field('email')->required()->email()
->field('age')->required()->integer()->between(18, 120);

if ($request->validate()) {
$clean = $request->getSanitized();
printf("\nValidated and sanitized data:\n");
print_r($clean);
} else {
printf("Validation errors:\n");
print_r($request->getErrors());
}

// 自定义验证规则示例

class CustomRules
{
public static function password(): callable
{
return function ($value): bool {
if (!is_string($value) || strlen($value) < 8) {
return false;
}
$checks = 0;
if (preg_match('/[A-Z]/', $value)) $checks++;
if (preg_match('/[a-z]/', $value)) $checks++;
if (preg_match('/[0-9]/', $value)) $checks++;
if (preg_match('/[^a-zA-Z0-9]/', $value)) $checks++;
return $checks >= 3;
};
}

public static function idCard(): callable
{
return function ($value): bool {
if (!preg_match('/^\d{17}[\dXx]$/', $value)) {
return false;
}
$factors = [7, 9, 10, 5, 8, 4, 2, 1, 6, 3, 7, 9, 10, 5, 8, 4, 2];
$checksum = '10X98765432';
$sum = 0;
for ($i = 0; $i < 17; $i++) {
$sum += intval($value[$i]) * $factors[$i];
}
return strtoupper($value[17]) === $checksum[$sum % 11];
};
}

public static function domain(): callable
{
return function ($value): bool {
return preg_match(
'/^(?:[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,}$/',
$value
) === 1;
};
}

public static function base64(): callable
{
return function ($value): bool {
return base64_encode(base64_decode($value, true)) === $value;
};
}

public static function colorHex(): callable
{
return function ($value): bool {
return preg_match('/^#([a-fA-F0-9]{3}|[a-fA-F0-9]{6}|[a-fA-F0-9]{8})$/', $value) === 1;
};
}
}

$customValidator = new Validator([
'password' => 'MyP@ss123',
'id_card' => '110101199001011234',
'domain' => 'example.com',
'color' => '#ff6600',
]);

$customValidator
->field('password')->custom('password', CustomRules::password())
->field('id_card')->custom('id_card', CustomRules::idCard())
->field('domain')->custom('domain', CustomRules::domain())
->field('color')->custom('color', CustomRules::colorHex());

printf("\nCustom rules: %s\n", $customValidator->validate() ? 'all passed' : 'failed');

PHP数据验证与过滤

UI-TARS桌面版：5分钟掌握智能GUI自动化的终极指南

从理论到实践：OAM模态复用与MIMO系统设计要点解析

可重构智能表面：从电磁超材料到6G无线通信的智能环境革命

TimeMoE-200M实战案例：用200M参数模型实现工业传感器数据精准预测

GPorTuguese-2揭秘：基于GPT-2的葡萄牙语文本生成模型完整指南

如何为Tiny RDM贡献翻译：5个简单步骤实现多语言支持