PHP Filters
Validating and sanitizing external data safely
๐ What are PHP Filters?
PHP filters validate and sanitize external input data like user forms, cookies, and web services. They help protect your application from malicious data and ensure data integrity before processing.
<?php
// Sanitize an email address
$email = "[email protected]";
$clean_email = filter_var($email, FILTER_SANITIZE_EMAIL);
echo $clean_email; // Output: [email protected]
?>
Output:
Types of Filters
Validate Filters
Check if data meets specific criteria without modifying it. Returns false if validation fails.
<?php
$email = "[email protected]";
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
echo "Valid email";
}
?>Sanitize Filters
Remove or encode unwanted characters from data to make it safe for use in your application.
<?php
$string = "<h1>Hello</h1>";
$clean = filter_var($string, FILTER_SANITIZE_STRING);
echo $clean; // Hello
?>Input Filters
Filter external variables like GET, POST, and COOKIE data directly from their source.
<?php
// Get and sanitize POST data
$name = filter_input(
INPUT_POST,
'username',
FILTER_SANITIZE_STRING
);
?>Custom Filters
Create your own validation rules using callback functions for specific business logic requirements.
<?php
$result = filter_var(
$data,
FILTER_CALLBACK,
["options" => "myFunction"]
);
?>๐น Validating Email Addresses
Use FILTER_VALIDATE_EMAIL to check if an email address is properly formatted:
<?php
$email1 = "[email protected]";
$email2 = "invalid-email";
// Validate first email
if (filter_var($email1, FILTER_VALIDATE_EMAIL)) {
echo "$email1 is valid<br>";
} else {
echo "$email1 is invalid<br>";
}
// Validate second email
if (filter_var($email2, FILTER_VALIDATE_EMAIL)) {
echo "$email2 is valid";
} else {
echo "$email2 is invalid";
}
?>Output:
[email protected] is valid
invalid-email is invalid
๐น Validating URLs
Check if a URL is valid using FILTER_VALIDATE_URL:
<?php
$url = "https://www.example.com";
if (filter_var($url, FILTER_VALIDATE_URL)) {
echo "Valid URL: $url";
} else {
echo "Invalid URL";
}
?>Output:
Valid URL: https://www.example.com
๐น Validating Integers
Validate integer values with optional range checking:
<?php
$age = 25;
// Simple integer validation
if (filter_var($age, FILTER_VALIDATE_INT)) {
echo "Valid integer: $age<br>";
}
// Validate with range
$options = [
"options" => [
"min_range" => 18,
"max_range" => 65
]
];
if (filter_var($age, FILTER_VALIDATE_INT, $options)) {
echo "Age $age is within valid range (18-65)";
} else {
echo "Age is out of range";
}
?>Output:
Valid integer: 25
Age 25 is within valid range (18-65)
๐น Sanitizing Strings
Remove HTML tags and special characters from strings:
<?php
$input = "<script>alert('XSS')</script>Hello World!";
// Remove HTML tags
$clean = filter_var($input, FILTER_SANITIZE_STRING);
echo "Sanitized: $clean";
?>Output:
Sanitized: Hello World!
๐น Using filter_input()
Filter external input directly from GET, POST, or COOKIE:
<?php
// Sanitize GET parameter
$search = filter_input(INPUT_GET, 'q', FILTER_SANITIZE_STRING);
// Validate POST email
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
// Sanitize COOKIE value
$user_id = filter_input(INPUT_COOKIE, 'user_id', FILTER_SANITIZE_NUMBER_INT);
if ($email) {
echo "Valid email received: $email";
} else {
echo "Invalid or missing email";
}
?>๐น Common Filter Constants
Validation Filters:
- FILTER_VALIDATE_EMAIL - Validates email addresses
- FILTER_VALIDATE_URL - Validates URLs
- FILTER_VALIDATE_INT - Validates integers
- FILTER_VALIDATE_IP - Validates IP addresses
- FILTER_VALIDATE_BOOLEAN - Validates boolean values
Sanitization Filters:
- FILTER_SANITIZE_STRING - Removes HTML tags
- FILTER_SANITIZE_EMAIL - Removes illegal email characters
- FILTER_SANITIZE_URL - Removes illegal URL characters
- FILTER_SANITIZE_NUMBER_INT - Removes all except digits and +/-