PHP filters are used to validate and sanitize external input.
The PHP filter extension provides various functions for checking user input and is designed to simplify and expedite data validation.
You can use the filter_list() function to see the available options provided by the PHP filter extension:
| <table> <tr> <td>Filter Name</td> <td>Filter ID</td> </tr> <?php foreach (filter_list() as $id =>$filter) { echo ‘<tr><td>’ . $filter . ‘</td><td>’ . filter_id($filter) . ‘</td></tr>’; } ?> </table> |
Many web applications handle external input, which can include:
|
You should always validate external data! Invalid or improperly submitted data can lead to security issues and disrupt your webpage. By using PHP filters, you can ensure that your application receives the correct input! |
The filter_var() function is used to both validate and sanitize data.
It filters a single variable according to a specified filter. It requires two pieces of information:
The following example demonstrates how to use the filter_var() function to remove all HTML tags from a string:
| <?php $str = “<h1>Hello World!</h1>”; $newstr = filter_var($str, FILTER_SANITIZE_STRING); echo $newstr; ?> |
The following example uses the filter_var() function to check if the variable $int is an integer. If $int is an integer, the output will be: “Integer is valid”. If $int is not an integer, the output will be: “Integer is not valid”.
| <?php $int = 100; if (!filter_var($int, FILTER_VALIDATE_INT) === false) { echo(“Integer is valid”); } else { echo(“Integer is not valid”); } ?> |
In the example above, if $int is set to 0, the function will return “Integer is not valid”. To address this issue, use the code below:
| <?php $int = 0; if (filter_var($int, FILTER_VALIDATE_INT) === 0 || !filter_var($int, FILTER_VALIDATE_INT) === false) { echo(“Integer is valid”); } else { echo(“Integer is not valid”); } ?> |
The following example demonstrates how to use the filter_var() function to check if the variable $ip is a valid IP address:
| <?php $ip = “127.0.0.1”; if (!filter_var($ip, FILTER_VALIDATE_IP) === false) { echo(“$ip is a valid IP address”); } else { echo(“$ip is not a valid IP address”); } ?> |
The following example uses the filter_var() function to first remove all invalid characters from the $email variable and then verify if it is a valid email address:
| <?php $email = “[email protected]”; // Remove all illegal characters from email $email = filter_var($email, FILTER_SANITIZE_EMAIL); // Validate e-mail if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) { echo(“$email is a valid email address”); } else { echo(“$email is not a valid email address”); } ?> |
The following example uses the filter_var() function to first remove all invalid characters from a URL and then verify if $url is a valid URL:
| <?php $url = “https://www.w3schools.com”; // Remove all illegal characters from a url $url = filter_var($url, FILTER_SANITIZE_URL); // Validate url if (!filter_var($url, FILTER_VALIDATE_URL) === false) { echo(“$url is a valid URL”); } else { echo(“$url is not a valid URL”); } ?> |
For a comprehensive reference of all filter functions, visit our complete PHP Filter Reference. There, you can explore the available options and flags for each filter.
The reference provides a brief description and usage examples for each function!