PHP Filters (Filter)

PHP filters are used to validate and filter data from untrusted sources, such as user input.

What are PHP filters?

PHP filters are used to validate and filter data from untrusted sources.

Validating and filtering user input or custom data is an important part of any web application.

The purpose of designing the PHP filter extension is to make data filtering easier and faster.

Why use filters?

Almost all web applications rely on external inputs. These data usually come from users or other applications (such as web services). By using filters, you can ensure that the application receives the correct input type.

You should always filter external data!

Input filtering is one of the most important application security topics.

What is external data?

  • Input data from forms
  • Cookies
  • Server variables
  • Database query results

Functions and Filters

To filter variables, please use one of the following filter functions:

  • filter_var() - Filter a single variable through a specified filter
  • filter_var_array() - Filter multiple variables through the same or different filters
  • filter_input - Retrieve a single input variable and filter it
  • filter_input_array - Retrieve multiple input variables and filter them through the same or different filters

In the following example, we used the filter_var() function to validate an integer:

<?php
$int = 123;
if(!filter_var($int, FILTER_VALIDATE_INT))
 {
 echo("Integer is not valid");
 }
else
 {
 echo("Integer is valid");
 }
?>

The above code uses the "FILTER_VALIDATE_INT" filter to filter the variable. Since this integer is valid, the output of the code is: "Integer is valid".

If we try to use a non-integer variable, the output is: "Integer is not valid".

For a complete list of functions and filters, please visit our PHP Filter Reference Manual.

Validating and Sanitizing

There are two types of filters:

Validating filter:

  • Used to validate user input
  • Strict format rules (such as URL or E-Mail validation)
  • Returns the expected type if successful, or FALSE if failed

Sanitizing filter:

  • Used to allow or disallow specified characters in a string
  • No data format rules
  • Always returns a string

Options and flags

Options and flags are used to add additional filtering options to the specified filter.

Different filters have different options and flags.

In the following example, we used filter_var() and "min_range" and "max_range" options to validate an integer:

<?php
$var=300;
$int_options = array(
"options"=>array
 (
 "min_range"=>0,
 "max_range"=>256
 )
);
if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
 {
 echo("Integer is not valid");
 }
else
 {
 echo("Integer is valid");
 }
?>

Like the above code, options must be placed in a related array named "options". If using flags, they do not need to be in the array.

Since the integer is "300", it is not within the specified range, the output of the above code will be "Integer is not valid".

For a complete list of functions and filters, please visit the CodeW3C.com provided PHP Filter Reference ManualYou can see the available options and flags for each filter.

Validate input

Let's try to validate the input from the form.

The first thing we need to do is confirm that the input data we are looking for exists.

Then we use the filter_input() function to filter the input data.

In the following example, the input variable "email" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_GET, "email"))
 {
 echo("Input type does not exist");
 }
else
 {
 if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
  {
  echo "E-Mail is not valid";
  }
 else
  {
  echo "E-Mail is valid";
  }
 }
?>

Example Explanation:

The above example has an input variable (email) transmitted by the "GET" method:

  1. Check if there is an "email" input variable of the "GET" type
  2. If there is an input variable, check if it is a valid email address

Sanitize input

Let's try to clean up the URL sent from the form.

Firstly, we need to confirm that the input data we are looking for exists.

Then, we use the filter_input() function to sanitize the input data.

In the following example, the input variable "url" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_POST, "url"))
 {
 echo("Input type does not exist");
 }
else
 {
 $url = filter_input(INPUT_POST, "url", FILTER_SANITIZE_URL);
 }
?>

Example Explanation:

The above example has an input variable (url) transmitted by the "POST" method:

  1. Check if there is an "url" input variable of the "POST" type
  2. If such an input variable exists, sanitize it (remove illegal characters) and store it in the $url variable

If the input variable is similar to this: "http://www.W3非o法ol.com.c字符n/", then the sanitized $url variable should be like this:

http://www.codew3c.com/

Filter multiple inputs

Forms are usually composed of multiple input fields. To avoid repeated calls to filter_var or filter_input, we can use filter_var_array or the filter_input_array function.

In this example, we use the filter_input_array() function to filter three GET variables. The received GET variables are a name, an age, and an email address:

<?php
$filters = array
 (
 "name" => array
  (
  "filter"=>FILTER_SANITIZE_STRING
  ),
 "age" => array
  (
  "filter"=>FILTER_VALIDATE_INT,
  "options"=>array
   (
   "min_range"=>1,
   "max_range"=>120
   )
  ),
 "email"=> FILTER_VALIDATE_EMAIL,
 );
$result = filter_input_array(INPUT_GET, $filters);
if (!$result["age"])
 {
 echo("Age must be a number between 1 and 120.<br />");
 }
elseif(!$result["email"])
 {
 echo("E-Mail is not valid.<br />");
 }
else
 {
 echo("User input is valid");
 }
?>

Example Explanation:

The above example has three input variables transmitted by the "GET" method (name, age, and email)

  1. Set an array that includes the names of input variables and filters for specified input variables
  2. Call the filter_input_array function with parameters including GET input variables and the array just set
  3. Check if the "age" and "email" variables in the $result variable have illegal input. (If there is illegal input,)

The second parameter of the filter_input_array() function can be an array or a single filter ID.

If the parameter is a single filter ID, then this specified filter will filter all values in the input array.

If the parameter is an array, then this array must follow the following rules:

  • It must be an associative array containing the input variables as the keys of the array (for example, the "age" input variable)
  • The values of this array must be the ID of the filter, or an array that specifies the filter, flags, and options

Using Filter Callback

By using the FILTER_CALLBACK filter, you can call a custom function and use it as a filter. This way, we have complete control over data filtering.

You can create your own custom functions or use existing PHP functions.

Specify the method you want to use for the filter function, just like specifying options.

In the following example, we use a custom function to convert all "_" to spaces:

<?php
function convertSpace($string)
{
return str_replace("_", " ", $string);
}
$string = "Peter_is_a_great_guy!";
echo filter_var($string, FILTER_CALLBACK, array("options"=>"convertSpace"));
?>

The result of the above code is as follows:

Peter is a great guy!

Example Explanation:

The above example converts all "_" to spaces:

  1. Create a function that replaces "_" with a space
  2. Call the filter_var() function, which takes the FILTER_CALLBACK filter and an array containing our function as parameters