PHP filters are used to validate and filter data coming from insecure sources, like user input.
A PHP filter is used to validate and filter data coming from insecure sources.
To test, validate and filter user input or custom data is an important part of any web application.
The PHP filter extension is designed to make data filtering easier and quicker.
Almost all web applications depend on external input. Usually this comes from a user or another application (like a web service). By using filters you can be sure your application gets the correct input type.
You should always filter all external data!
Input filtering is one of the most important application security issues.
What is external data?
To filter a variable, use one of the following filter functions:
In the example below, we validate an integer using the filter_var() function:
The code above uses the "FILTER_VALIDATE_INT" filter to filter the variable. Since the integer is valid, the output of the code above will be: "Integer is valid".
If we try with a variable that is not an integer (like "123abc"), the output will be: "Integer is not valid".
For a complete list of functions and filters, visit our
PHP Filter Reference.
There are two kinds of filters:
Options and flags are used to add additional filtering options to the specified filters.
Different filters have different options and flags.
In the example below, we validate an integer using the filter_var() and the "min_range" and "max_range" options:
Like the code above, options must be put in an associative array with the name "options". If a flag is used it does not need to be in an array.
Since the integer is "300" it is not in the specified range, and the output of the code above will be: "Integer is not valid".
For a complete list of functions and filters, visit our PHP Filter Reference. Check each filter to see what options and flags are available.
Let's try validating input from a form.
The first thing we need to do is to confirm that the input data we are looking for exists.
Then we filter the input data using the filter_input() function.
In the example below, the input variable "email" is sent to the PHP page:
The example above has an input (email) sent to it using the "GET" method:
Let's try cleaning up an URL sent from a form.
First we confirm that the input data we are looking for exists.
Then we sanitize the input data using the filter_input() function.
In the example below, the input variable "url" is sent to the PHP page:
The example above has an input (url) sent to it using the "POST" method:
If the input variable is a string like this "http://www.W3ååSchøøools.com/", the $url variable after the sanitizing will look like this:
A form almost always consist of more than one input field. To avoid calling the filter_var or filter_input functions over and over, we can use the filter_var_array or the filter_input_array functions.
In this example we use the filter_input_array() function to filter three GET variables. The received GET variables is a name, an age and an e-mail address:
The example above has three inputs (name, age and email) sent to it using the "GET" method:
The second parameter of the filter_input_array() function can be an array or a single filter ID.
If the parameter is a single filter ID all values in the input array are filtered by the specified filter.
If the parameter is an array it must follow these rules:
It is possible to call a user defined function and use it as a filter using the FILTER_CALLBACK filter. This way, we have full control of the data filtering.
You can create your own user defined function or use an existing PHP function
The function you wish to use to filter is specified the same way as an option is specified. In an associative array with the name "options"
In the example below, we use a user created function to convert all "_" to whitespaces:
The result from the code above should look like this:
The example above converts all "_" to whitespaces:
Your message has been sent to W3Schools.