Last Updated: February 25, 2016
·
10.25K
· xero

clean user inputs with php var filters

returns a list of all supported filters
http://php.net/manual/en/function.filter-list.php

filters a variable with a specified filter
http://php.net/manual/en/function.filter-var.php

gets multiple variables and optionally filters them
http://php.net/manual/en/function.filter-var-array.php

gets a specific external variable by name and optionally filters it
http://php.net/manual/en/function.filter-input.php

gets external variables and optionally filters them
http://php.net/manual/en/function.filter-input-array.php

i dont know why it took me so long to find these commands, but i love php's native filter functions! the idea is you take any input (i use it almost exclusively with user input [e.g. post, get, request]) and filter it!

there are validation and sanitation filters.
http://php.net/manual/en/filter.filters.validate.php
http://php.net/manual/en/filter.filters.sanitize.php
http://php.net/manual/en/filter.filters.flags.php

here are some of my favorites:

FILTER CALLBACK
call a user-defined function to filter data

FILTER SANITIZE STRING
strip tags, optionally strip or encode special characters

FILTER SANITIZE ENCODED
URL-encode string, optionally strip or encode special characters

FILTER SANITIZE SPECIAL CHARS
HTML-escape '"<>& and characters with ASCII value less than 32

FILTER SANITIZE EMAIL
remove all characters, except letters, digits and !#$%&'*+-/=?^ `{|}~@.[]

FILTER SANITIZE URL
remove all characters, except letters, digits and $- .+!*'(),{}|\^~[]`<>#%";/?:@&=

FILTER SANITIZE NUMBER INT
remove all characters, except digits and +-

FILTER SANITIZE NUMBER FLOAT
remove all characters, except digits, +- and optionally .,eE

FILTER VALIDATE INT
validate value as integer, optionally from the specified range

FILTER VALIDATE BOOLEAN
returns TRUE for "1", "true", "on" and "yes", FALSE for "0", "false", "off", "no", and "", NULL otherwise

FILTER VALIDATE FLOAT
validate value as float

FILTER VALIDATE REGEXP
validate value against regexp, a Perl-compatible regular expression

FILTER VALIDATE URL
validate value as URL, optionally with required components

FILTER VALIDATE EMAIL
validate value as e-mail

FILTER VALIDATE IP
validate value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges

examples:

<?
//---check if valid email
if(!filter_var("someone@example....com", FILTER_VALIDATE_EMAIL)){
    die('invalid email');
}

//---sanitize posted name
$name = filter_var($_POST['name'], FILTER_SANITIZE_STRING);

//---check if posted id is a number
$dirty = $_POST['id'];
$id = (filter_var($dirty, FILTER_VALIDATE_INT)) ?
      filter_var($dirty, FILTER_SANITIZE_NUMBER_INT) :
      0;
?>