PHP - Filter

the php filters used for validate and filter data coming from external sources.

a php filter is used to validate and filter data coming from the external sources. the php filter extension is designed to make filtering easier and quicker.

what is external data:

  • anything from a form
  • anything from $_get, $_post $_request
  • from cookies
  • web services data
  • files
  • environment variables
  • database query results

php - validating and sanitizing

filter knows two types of filter:

validating filters(logical filters):

  • strong analysis of the data
  • knows the formats (like url or e-mail validating)
  • returns the expected type on success or false on failure

look the all validating filters:http://www.php.net/manual/en/filter.filters.validate.php

sanitizing filters:

  • allow or disallow characters in a string
  • does not care about the data format
  • it always returns a string

look all predefined filters constants:http://www.php.net/manual/en/filter.constants.php


php filters functions

  • filter_id() :- returns the filter id belonging to a named filter
  • filter_list() : returns a list of all supported filters
  • filter_var() : filters a variable with a specified filter
  • filter_var_array() : filter several variables with the same or different filters
  • filter_input() : get one input variable and filter it
  • filter_input_array() : gets external variables and optionally filters them

example below we validate an integer and floating value using the "filter_var()" function:

    <?php
               $integer  = 23232323;
               
               $float    = '334454erer54.4545';
               
               if( !filter_var( $integer, filter_validate_int)){
               
                    echo  "Integer value not  valid <br/>";
                 
                 }else { 
                 
                        echo  "integer value is valid <br/>" ; }
                 
                if ( !filter_var( $float, filter_validate_float)){                 
                    
                    echo  "float value is not valid";
                    
                 }else{
                 
                        echo "the  float value is valid";
                        
                      } 
                                    // how filter the boolean value
    
           $bool = true ;
           
            if( !filter_var( $bool, filter_validate_boolean)){
            
                 echo   "invalid boolean value";
              }
               else{  echo  "<br/> boolean value is valid"; }                   
   ?>

the code above uses the "filter_validate_int", "filter_validate_float", "filter_validate_boolean" filter to filter the variables.

the integer value is valid the output of the code above will be : "integer value is valid".

the float value is invalid the output of the code above will be : "float value is not valid"

the boolean value is valid the output of the code above will be : "boolean value is valid"


a simple form using validating filter:

filter the input data using the filter_input() function.

  <html> <head> </head>
  
  <body>
   
        <form  action = "validate.php" method = "post" >
        
            email: <input type="text" name = "email" size = "100" >
            
            <br/><input type= "submit" name= "submit" value= "submit">
        
        </form>       
 
  </body> </html>
  
                    <!-- and the little script to process it "validate.php"   -->
  <?php
            
 $mail = filter_input( input_post, 'email', filter_validate_email);
        
 if (is_null ($mail)){                        
                             echo  "the 'email' field is required.<br/>";                                   
                        }
                         elseif ( $mail == false){
                                  
                                      echo  "please enter a valid email address. <br/>";
                                  
                               } else {                            
                                          echo "welcome as a new visitor email is valid";                                           
                                       }                                
  ?>

sanitizing filter

first we confirm that the input data we are looking for exists. then we sanitize the input data using the filter_input() function.

in the example below, the input variable "url" is sent to the php:

    <?php  if( !filter_has_var( input_post, "url")){
    
       echo  "input type does not exist";
     
     }else{
               $surl = filter_input( input_post, 'url', 'filter_sanitize_url');
               
               echo  "$surl";
          }
          
   ?>

if the input variable is a string like this "http://www.w3��web.com/", the $surl variable after the sanitizing will look like this:

   http://www.w3web.com/

filter callback

it is possible to call a user defined function and use it as a filter using the filter_callback filter. the way, we have full control of the data filtering.

   <?php
               //a call back function convert spaces to underscore
               
            function callme($str){
            
                    return  str_replace(" ", "_", $str);
                    
                   }
                   
                     $string = "my name is sandeep kumar nehra";
                     
                     
        echo  filter_var( $string, filter_callback, array("options" => "callme"));
   ?>
output :-  my_name_is_sandeep_kumar_nehra