PHP Filters
Validating data = Check to see that the data is in a suitable format.
Sanitizing data = Remove any special characters which is not related to input data format.
The PHP Filter Extension
The validate and sanitize of external input are done via PHP filters.
Many of the functions needed for verifying user input are included in the PHP filter extension, which is meant to make data validation easier and faster.
Example :- The filter_list() function can be used to display a list of the PHP filter extension's available options :
<!DOCTYPE html>
<html>
<body>
<table>
<tr>
<th>Filter Name</th>
<th>Filter ID</th>
</tr>
<?php
foreach (filter_list() as $id =>$filter) {
echo '<tr><td>' . $filter . '</td><td>' . filter_id($filter) . '</td></tr>';
}
?>
</table>
</body>
</html>
Output :-
| Filter Name | Filter ID |
|---|---|
| int | 257 |
| boolean | 258 |
| float | 259 |
| validate_regexp | 272 |
| validate_domain | 277 |
| validate_url | 273 |
| validate_email | 274 |
| validate_ip | 275 |
| validate_mac | 276 |
| string | 513 |
| stripped | 513 |
| encoded | 514 |
| special_chars | 515 |
| full_special_chars | 522 |
| unsafe_raw | 516 |
| 517 | |
| url | 518 |
| number_int | 519 |
| number_float | 520 |
| magic_quotes | 521 |
| callback | 1024 |
Why Use Filters
Many web apps take input from the outside world. External data/input is possible :
- User input from a form
- Cookies
- Web services data
- Server variables
- Database query results
External data should always be validated!
Inaccurate data submitted may cause security issues and crash your website!
You can ensure that your application receives the correct input by utilizing PHP filters!
PHP filter_var() Function
Data is validate and sanitize using the filter_var() function.
A single variable with a specific filter is filtered by the filter_var() function.
It takes two pieces of data :
- You're looking for a variable to test.
- What form of check should you use?
Sanitize a String
The FILTER_SANITIZE_STRING option is used to remove any HTML tags and entities from the given input.
Example :-
<?php
$str = "<h1>Hello World!</h1>
<div class="mainimage"><p class="image">
<img src="php-resources/mimages/php-filters-1.jpg" style="width:100%; height:100%" alt="Hello World!" />
</p></div>
";
$newstr = filter_var($str, FILTER_SANITIZE_STRING);
echo $newstr;
?>
Output :-
Related Links
Remove Characters With ASCII Value > 127
The FILTER_FLAG_STRIP_HIGH flag is used to remove any characters which have ASCII value greater than 127.
Example :- In this example, a string can be sanitized with filter_var(). Both HTML Tags and ASCII value > 127 characters will be deleted from the string :
<?php
// Variable to check
$str = "<h1>Hello WorldÆØÅ!</h1>
<div class="mainimage"><p class="image">
<img src="php-resources/mimages/php-filters-1.jpg" style="width:100%; height:100%" alt="Hello WorldÆØÅ!" />
</p></div>
";
// Remove HTML tags and all characters with ASCII value > 127
$newstr = filter_var($str, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
echo $newstr;
?>
Output :-
Validate an Integer
The FILTER_VALIDATE_INT option is used to check whether a given input is interger or not.
Example :- The following example to determine whether the variable $x is an integer or not.
<?php
$x = 100;
if (!filter_var($x, FILTER_VALIDATE_INT) === false) {
echo("x is integer");
} else {
echo("x is not integer");
}
echo "<br />";
$y = 5.67;
if (!filter_var($y, FILTER_VALIDATE_INT) === false) {
echo("y is integer");
} else {
echo("y is not integer");
}
Output :-
y is not integer
Tip: filter_var() and Problem With 0
The filter_var() function consider "0" is not an integer value.
Example :- Use the following code to solve this problem with "0":
<?php
$int = 0;
if (filter_var($int, FILTER_VALIDATE_INT) === 0 || !filter_var($int, FILTER_VALIDATE_INT) === false) {
echo("Integer is valid");
} else {
echo("Integer is not valid");
}
?>
Output :-
Validate an Integer Within a Range
The filter_var() function also used to check the given integer value is within a range or not.
Example :- This example utilises the filter_var() method to check for an INT type variable, which runs from 1 to 200s :
<?php
/* variable to check */
$int = 122;
/* min value */
$min = 1;
/* max value */
$max = 200;
if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {
echo("Variable value is not within the legal range");
} else {
echo("Variable value is within the legal range");
}
?>
Output :-
Related Links
Validate an IP Address
The FILTER_VALIDATE_IP option is used to check or validate whether the given input is a valid computer IP Address or not.
Example :- To check an IPV4 Address
<?php
$ip = "127.0.0.1";
if (!filter_var($ip, FILTER_VALIDATE_IP) === false) {
echo("$ip is a valid IP address");
} else {
echo("$ip is not a valid IP address");
}
?>
Output :-
Validate IPv6 Address
The FILTER_FLAG_IPV6 option is used check whether an input is IPV6 Address or not.
Example :- In this instance, the filter_var() method checks if the $ip
variable is a valid IPv6 address :
<?php
// Variable to check
$ip = "2001:0db8:85a3:08d3:1319:8a2e:0370:7334";
// Validate ip as IPv6
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {
echo("$ip is a valid IPv6 address");
} else {
echo("$ip is not a valid IPv6 address");
}
?>
Output :-
Sanitize and Validate an Email Address
The FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL options are used to
sanitize and validate an email address from the given input data.
The FILTER_SANITIZE_EMAIL option is used to remove any illegal characters from the input data.
The FILTER_VALIDATE_EMAIL option is used whether the given input is an valid email address or not.
Example :-
<?php
$email = "info@example.com";
// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// Validate e-mail
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is a valid email address");
} else {
echo("$email is not a valid email address");
}
?>
Output :-
Sanitize and Validate a URL
The FILTER_SANITIZE_URL and FILTER_VALIDATE_URL options are used to
sanitize and validate an internet URL address from the given input data.
The FILTER_SANITIZE_URL option is used to remove any prohibited characters from the input data.
The FILTER_VALIDATE_URL option is used whether the given input is an valid web url address or not.
Example :-
<?php
$url = "https://www.simmanchith.com";
// Remove all illegal characters from a url
$url = filter_var($url, FILTER_SANITIZE_URL);
// Validate url
if (!filter_var($url, FILTER_VALIDATE_URL) === false) {
echo("$url is a valid URL");
} else {
echo("$url is not a valid URL");
}
?>
Output :-
Validate URL - Must Contain QueryString
The FILTER_FLAG_QUERY_REQUIRED flag is used to check whether a URL contain query string or not.
Example :- This example utilizes filter_var() to see whether the variable
$url contains a query string with it. :
<?php
// Variable to check
$url = "https://www.simmanchith.com";
// Validate url
if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED) === false) {
echo("$url is a valid URL with a query string");
} else {
echo("$url is not a valid URL with a query string");
}
?>
Output :-