WEB DEVELOPER SITE
HTMLCSSJAVASCRIPTSQLPHPBOOTSTRAPJQUERYANGULARXML
 

PHP Filters



PHP filters are used to validate and filter data from non-secure sources, such as user input.


What is a PHP filter?

PHP filters are used to validate and filter data from non-secure sources.

Testing, validating, and filtering user input or custom data is an important part of any web application.

PHP's filter extensions are designed to make data filtering easier and faster.


Why use filters?

Almost all web applications rely on external input. This data usually comes from users or other applications (such as web services). By using filters, you can ensure that your application gets the correct input type.

You should always filter external data!

Input filtering is one of the most important application security topics.

What is external data?

  • Input data from the form
  • Cookies
  • Web services data
  • Server variables
  • Database query results

Functions and filters

To filter variables, use one of the following filter functions:

  • filter_var ()-Filter a single variable through a specified filter
  • filter_var_array ()-Filter multiple variables by the same or different filters
  • filter_input-Get an input variable and filter it
  • filter_input_array-Get multiple input variables and filter them with the same or different filters

In the following example, we validated an integer using the filter_var () function:

Example

<?php $int = 123; if(!filter_var($int, FILTER_VALIDATE_INT)) { echo("Not Is a legal integer"); } else { echo("Is a valid integer"); } ?>

The above code uses the "FILTER_VALIDATE_INT" filter to filter variables. Since this integer is legal, the above code will output:

If we try to use a non-integer variable (such as "123abc"), it will output: "Integer is not valid".

For a complete list of functions and filters, please visit our PHP Filter Reference Manual .


Validating and Sanitizing

There are two types of filters:

Validating filter:

  • Used to validate user input
  • Strict formatting rules (such as URL or E-Mail validation)
  • If successful, it returns the expected type, if it fails, it returns FALSE

Sanitizing filter:

  • Used to allow or disallow the specified characters in the string
  • No data format rules
  • Always return a string

Options and flags

Options and flags are used to add additional filtering options to the specified filter.

Different filters have different options and flags.

In the following example, we validate an integer with filter_var () and "min_range" and "max_range" options:

Example

<?php $var=300; $int_options = array( "options"=>array ( "min_range"=>0, "max_range"=>256 ) ); if(!filter_var($var, FILTER_VALIDATE_INT, $int_options)) { echo("Not Is a legal integer"); } else { echo("Is a valid integer"); } ?>

Like the code above, the options must be placed in an associated array named "options". If a flag is used, it does not need to be inside an array.

Since the integer is "300" and it is not in the specified range, the output of the above code will be:

Not Is a legal integer  

Verify input

Let's try to validate the input from the form.

The first thing we need to do is confirm if there is any input data we are looking for.

Then we use the filter_input () function to filter the input data.

In the following example, the input variable "email" is passed to the PHP page:

Example

<?php if(!filter_has_var(INPUT_GET, "email")) { echo("No email parameter"); } else { if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL)) { echo "Not Is a legal E-Mail"; } else { echo "Is a legal E-Mail"; } } ?>

The test results of the above examples are as follows:

Example explanation

The above example has an input variable (email) passed via the "GET" method:

  1. Detect the existence of "email" input variables of type "GET"
  2. If an input variable exists, check if it is a valid e-mail address

Purify input

Let's try to clean up the URL passed from the form.

First, we need to confirm if there is any input data we are looking for.

Then, we use the filter_input () function to sanitize the input data.

In the following example, the input variable "url" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_GET, "url"))
{
    echo("No url parameter");
}
else
{
    $url = filter_input(INPUT_GET, 
    "url", FILTER_SANITIZE_URL);
    echo $url;
}
?>

Example explanation

The above example has an input variable (url) passed via the "GET" method:

  1. Detect if "url" input variable of type "GET" exists
  2. If present, sanitize this input variable (remove illegal characters) and store it in the $ url variable

If the input variable is a string like this: "http: //www.ruåånoøøob.com/", the cleaned $ url variable looks like this:



Filter multiple inputs

Forms usually consist of multiple input fields. To avoid repeated calls to the filter_var or filter_input functions, we can use the filter_var_array or the filter_input_array functions.

In this example, we use the filter_input_array () function to filter three GET variables. The GET variables received are a name, an age, and an e-mail address:

Example

<?php $filters = array ( "name" => array ( "filter"=>FILTER_SANITIZE_STRING ), "age" => array ( "filter"=>FILTER_VALIDATE_INT, "options"=>array ( "min_range"=>1, "max_range"=>120 ) ), "email"=> FILTER_VALIDATE_EMAIL ); $result = filter_input_array(INPUT_GET, $filters); if (!$result["age"]) { echo(" Age must be between 1 and 120.<br>"); } elseif(!$result["email"]) { echo("E-Mail illegal<br>"); } else { echo("Entered correctly"); } ?>

Example explanation

The above example has three input variables (name, age, and email) passed via the "GET" method:

  1. Set an array containing the names of the input variables and filters for the specified input variables
  2. Call the filter_input_array () function, the parameters include the GET input variable and the array just set
  3. Check if the "age" and "email" variables in the $ result variable have illegal input. (If there is illegal input, after using the filter_input_array () function, the input variable is FALSE.)

The second parameter of the filter_input_array () function can be the ID of an array or a single filter.

If the parameter is the ID of a single filter, the specified filter will filter all values ​​in the input array.

If the parameter is an array, the array must follow these rules:

  • Must be an associative array whose input variables are the keys of the array (such as "age" input variables)
  • The value of this array must be the ID of the filter, or an array specifying filters, flags, and options

Using Filter Callback

By using the FILTER_CALLBACK filter, you can call a custom function and use it as a filter. In this way, we have full control over data filtering.

You can create your own custom functions or use existing PHP functions.

Specify the function of the filter you are going to use as specified by the specified option. In the associative array, with the name "options".

In the following example, we used a custom function to convert all "_" to ".":

Example

<?php function convertSpace($string) { return str_replace("_", ".", $string); } $string = "www_welookups_com!"; echo filter_var($string, FILTER_CALLBACK, array("options"=>"convertSpace")); ?>

The result of the above code is as follows:

Example explanation

The above example converts all "_" into ".":

  1. Create a function that replaces "_" with "."
  2. Call the filter_var () function, which takes the FILTER_CALLBACK filter and an array containing our functions