PHP Filters
Validating data = Check to see that the data is in a suitable format.
Sanitizing data = Remove any special characters which is not related to input data format.
The PHP Filter Extension
The validate and sanitize of external input are done via PHP filters.
Many of the functions needed for verifying user input are included in the PHP filter extension, which is meant to make data validation easier and faster.
Example :- The filter_list()
function can be used to display a list of the PHP filter extension's available options :
Filter Name
Filter ID
$filter) {
echo '' . $filter . ' ' . filter_id($filter) . ' ';
}
?>
Output :-
Filter Name | Filter ID |
---|---|
int | 257 |
boolean | 258 |
float | 259 |
validate_regexp | 272 |
validate_domain | 277 |
validate_url | 273 |
validate_email | 274 |
validate_ip | 275 |
validate_mac | 276 |
string | 513 |
stripped | 513 |
encoded | 514 |
special_chars | 515 |
full_special_chars | 522 |
unsafe_raw | 516 |
517 | |
url | 518 |
number_int | 519 |
number_float | 520 |
magic_quotes | 521 |
callback | 1024 |
Why Use Filters
Many web apps take input from the outside world. External data/input is possible :
- User input from a form
- Cookies
- Web services data
- Server variables
- Database query results
External data should always be validated!
Inaccurate data submitted may cause security issues and crash your website!
You can ensure that your application receives the correct input by utilizing PHP filters!
PHP filter_var() Function
Data is validate and sanitize using the filter_var()
function.
A single variable with a specific filter is filtered by the filter_var()
function.
It takes two pieces of data :
- You're looking for a variable to test.
- What form of check should you use?
Sanitize a String
The FILTER_SANITIZE_STRING
option is used to remove any HTML tags and entities from the given input.
Example :-
Hello World!
";
$newstr = filter_var($str, FILTER_SANITIZE_STRING);
echo $newstr;
?>
Output :-
Related Links
Remove Characters With ASCII Value > 127
The FILTER_FLAG_STRIP_HIGH
flag is used to remove any characters which have ASCII value greater than 127.
Example :- In this example, a string can be sanitized with filter_var()
. Both HTML Tags and ASCII value > 127 characters will be deleted from the string :
Hello WorldÆØÅ!
";
// Remove HTML tags and all characters with ASCII value > 127
$newstr = filter_var($str, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
echo $newstr;
?>
Output :-
Validate an Integer
The FILTER_VALIDATE_INT
option is used to check whether a given input is interger or not.
Example :- The following example to determine whether the variable $x
is an integer or not.
";
$y = 5.67;
if (!filter_var($y, FILTER_VALIDATE_INT) === false) {
echo("y is integer");
} else {
echo("y is not integer");
}
Output :-
y is not integer
Tip: filter_var() and Problem With 0
The filter_var()
function consider "0" is not an integer value.
Example :- Use the following code to solve this problem with "0":
Output :-
Validate an Integer Within a Range
The filter_var()
function also used to check the given integer value is within a range or not.
Example :- This example utilises the filter_var()
method to check for an INT type variable, which runs from 1 to 200s :
array("min_range"=>$min, "max_range"=>$max))) === false) {
echo("Variable value is not within the legal range");
} else {
echo("Variable value is within the legal range");
}
?>
Output :-
Related Links
Validate an IP Address
The FILTER_VALIDATE_IP
option is used to check or validate whether the given input is a valid computer IP Address or not.
Example :- To check an IPV4 Address
Output :-
Validate IPv6 Address
The FILTER_FLAG_IPV6
option is used check whether an input is IPV6 Address or not.
Example :- In this instance, the filter_var()
method checks if the $ip
variable is a valid IPv6 address :
Output :-
Sanitize and Validate an Email Address
The FILTER_SANITIZE_EMAIL
and FILTER_VALIDATE_EMAIL
options are used to
sanitize and validate an email address from the given input data.
The FILTER_SANITIZE_EMAIL
option is used to remove any illegal characters from the input data.
The FILTER_VALIDATE_EMAIL
option is used whether the given input is an valid email address or not.
Example :-
Output :-
Sanitize and Validate a URL
The FILTER_SANITIZE_URL
and FILTER_VALIDATE_URL
options are used to
sanitize and validate an internet URL address from the given input data.
The FILTER_SANITIZE_URL
option is used to remove any prohibited characters from the input data.
The FILTER_VALIDATE_URL
option is used whether the given input is an valid web url address or not.
Example :-
Output :-
Validate URL - Must Contain QueryString
The FILTER_FLAG_QUERY_REQUIRED
flag is used to check whether a URL contain query string or not.
Example :- This example utilizes filter_var()
to see whether the variable
$url
contains a query string with it. :
Output :-