PHP - Filter

the php filters used for validate and filter data coming from external sources.

a php filter is used to validate and filter data coming from the external sources. the php filter extension is designed to make filtering easier and quicker.

what is external data:

  • anything from a form
  • anything from $_get, $_post $_request
  • from cookies
  • web services data
  • files
  • environment variables
  • database query results

php - validating and sanitizing

filter knows two types of filter:

validating filters(logical filters):

  • strong analysis of the data
  • knows the formats (like url or e-mail validating)
  • returns the expected type on success or false on failure

look the all validating filters:

sanitizing filters:

  • allow or disallow characters in a string
  • does not care about the data format
  • it always returns a string

look all predefined filters constants:

php filters functions

  • filter_id() :- returns the filter id belonging to a named filter
  • filter_list() : returns a list of all supported filters
  • filter_var() : filters a variable with a specified filter
  • filter_var_array() : filter several variables with the same or different filters
  • filter_input() : get one input variable and filter it
  • filter_input_array() : gets external variables and optionally filters them

example below we validate an integer and floating value using the "filter_var()" function:

               $integer  = 23232323;
               $float    = '334454erer54.4545';
               if( !filter_var( $integer, filter_validate_int)){
                    echo  "Integer value not  valid <br/>";
                 }else { 
                        echo  "integer value is valid <br/>" ; }
                if ( !filter_var( $float, filter_validate_float)){                 
                    echo  "float value is not valid";
                        echo "the  float value is valid";
                                    // how filter the boolean value
           $bool = true ;
            if( !filter_var( $bool, filter_validate_boolean)){
                 echo   "invalid boolean value";
               else{  echo  "<br/> boolean value is valid"; }                   

the code above uses the "filter_validate_int", "filter_validate_float", "filter_validate_boolean" filter to filter the variables.

the integer value is valid the output of the code above will be : "integer value is valid".

the float value is invalid the output of the code above will be : "float value is not valid"

the boolean value is valid the output of the code above will be : "boolean value is valid"

a simple form using validating filter:

filter the input data using the filter_input() function.

  <html> <head> </head>
        <form  action = "validate.php" method = "post" >
            email: <input type="text" name = "email" size = "100" >
            <br/><input type= "submit" name= "submit" value= "submit">
  </body> </html>
                    <!-- and the little script to process it "validate.php"   -->
 $mail = filter_input( input_post, 'email', filter_validate_email);
 if (is_null ($mail)){                        
                             echo  "the 'email' field is required.<br/>";                                   
                         elseif ( $mail == false){
                                      echo  "please enter a valid email address. <br/>";
                               } else {                            
                                          echo "welcome as a new visitor email is valid";                                           

sanitizing filter

first we confirm that the input data we are looking for exists. then we sanitize the input data using the filter_input() function.

in the example below, the input variable "url" is sent to the php:

    <?php  if( !filter_has_var( input_post, "url")){
       echo  "input type does not exist";
               $surl = filter_input( input_post, 'url', 'filter_sanitize_url');
               echo  "$surl";

if the input variable is a string like this "http://www.w3��", the $surl variable after the sanitizing will look like this:

filter callback

it is possible to call a user defined function and use it as a filter using the filter_callback filter. the way, we have full control of the data filtering.

               //a call back function convert spaces to underscore
            function callme($str){
                    return  str_replace(" ", "_", $str);
                     $string = "my name is sandeep kumar nehra";
        echo  filter_var( $string, filter_callback, array("options" => "callme"));
output :-  my_name_is_sandeep_kumar_nehra