Validating input data is crucial to any PHP application. You don't want an attacker trying to attack your system by submitting improper form data. Fortunately, the PHP developers have provided some help with that process.
These functions allow you to specify a variable to check and the type of check to perform. There are two main groups of filter:
The validation checks return a
You can combine both the sanitizing and validating features in your code to ensure the data you receive from an HTML form is valid:
PHP provides several filter functions that allow you to easily check for valid data or sanitize the data if any unwanted data is present. The following table lists the different functions available in the filter family.
| Function | Description |
filter_has_var() |
Checks if a variable of the specified type exists |
filter_id() |
Returns the filter ID of the specified filter |
filter_input() |
Retrieves a value passed by GET, POST, sessions, or cookies and filters it |
filter_input_array() |
Retrieves multiple values passed to the PHP program and filters them |
filter_list() |
Returns a list of supported filters |
filter_var() |
Filters a variable |
filter_var_array() |
Filters a list of variables |
- Validation: Checks if the specified data is present
- Sanitation: Checks if the specified data is present and removes it
| Filter | Description |
FILTER_VALIDATE_BOOLEAN |
Checks for a valid Boolean value |
FILTER_VALIDATE_EMAIL |
Checks for a valid email address |
FILTER_VALIDATE_FLOAT |
Checks for a valid float value |
FILTER_VALIDATE_INT |
Checks for a valid integer value |
FILTER_VALIDATE_IP |
Checks for a valid IP address value |
FILTER_VALIDATE_REGEXP |
Checks for a valid regular expression value |
FILTER_VALIDATE_URL |
Checks for a valid URL string |
TRUE value if the data contains the data type being checked, or a FALSE value if not.The following table shows the different sanitation filters available.
| Filter | Description |
FILTER_SANITIZE_EMAIL |
Removes illegal characters from an email address |
FILTER_SANITIZE_ENCODED |
Encodes special characters in the string |
FILTER_SANITIZE_MAGIC_QUOTES |
Apply the addslashes() function |
FILTER_SANITIZE_NUMBER_FLOAT |
Remove all characters, except digits, +, –, and E |
FILTER_SANITIZE_NUMBER_INT |
Removes all characters except digits and + or – |
FILTER_SANITIZE_SPECIAL_CHARS |
Removes any special characters in the string |
FILTER_SANITIZE_FULL_SPECIAL_CHARS |
Same as htmlspecialchars() |
FILTER_SANITIZE_STRING |
Removes HTML tags and special characters from a string |
FILTER_SANITIZE_STRIPPED |
Same as FILTER_SANITIZE_STRING |
FILTER_SANITIZE_URL |
Removes all illegal characters from a URL string |
$address = $_POST['email'];
$address = filter_var($address, FILTER_SANITIZE_EMAIL);
if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {
echo "<h2>Sorry, you have entered an incorrect address</h2";
} else {
echo "<h2 id="tab1" >Thank you for submitting your data</h2>";
}
Using the PHP filter functions will help you safely process any type of input data received in your application HTML forms.
