PHP Filters

PHP

Introduction to PHP Filters

In modern web applications, handling user input safely and effectively is critical. PHP provides a powerful and flexible filtering extension designed for validating and sanitizing external data. This tutorial covers everything about PHP Filters, including how to use filter_var(), filter_input(), and even how to implement custom filters to ensure your applications handle data securely and correctly.

Prerequisites

  • Basic to intermediate understanding of PHP programming.
  • PHP installed (version 5.2.0+ supports filter extension by default).
  • Familiarity with handling forms and user input in PHP.

Setup Steps

Most PHP installations have the filters extension enabled by default. To check if filters are available on your server, run: 

php -m | grep filter

If you see "filter" as output, you are good to go. Otherwise, ensure your php.ini file enables the filter extension, usually it is built-in.

Understanding PHP Filters

PHP filters fall broadly into two categories:

  • Validation filters: Check if data matches a specific format (e.g., integer, email).
  • Sanitization filters: Clean the data by removing unwanted characters or encoding it.

1. Using filter_var()

The filter_var() function filters a variable with a specified filter. Syntax:

filter_var(mixed $variable, int $filter = FILTER_DEFAULT, array|int $options = 0): mixed

Example: Validate an email address

<?php
$email = "test@example.com";

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
  echo "The email address '{$email}' is valid.";
} else {
  echo "Invalid email address!";
}
?>

Example: Sanitize a string

<?php
$dirty_string = "
Hello World!
";

$clean_string = filter_var($dirty_string, FILTER_SANITIZE_STRING);  // Deprecated as of PHP 8.1

// Alternative:
$clean_string = filter_var($dirty_string, FILTER_SANITIZE_SPECIAL_CHARS);

echo $clean_string;  // Outputs: <h1>Hello World!</h1>
?>

2. Using filter_input() to Validate Input from Forms

This function is used to obtain variables from external sources like INPUT_GET, INPUT_POST, or INPUT_COOKIE with filtering.

filter_input(int $type, string $variable_name, int $filter = FILTER_DEFAULT, array|int $options = 0): mixed

Example: Filter POST variable as integer

<?php
// Simulate form submission: assume user submitted 'age' via POST
$age = filter_input(INPUT_POST, 'age', FILTER_VALIDATE_INT);

if ($age === false) {
  echo "Invalid age value.";
} else {
  echo "User age is {$age}.";
}
?>

3. Advanced Filtering Using Options & Flags

Filters can be fine-tuned with options and flags. For example, validating an integer within a range, or sanitizing URLs.

Example: Validate integer within a range

<?php
$number = 50;

$options = [
  'options' => [
    'min_range' => 1,
    'max_range' => 100
  ]
];

if (filter_var($number, FILTER_VALIDATE_INT, $options) !== false) {
  echo "Number {$number} is within the range 1 to 100.";
} else {
  echo "Number is out of range.";
}
?>

Example: Sanitize URL

<?php
$url = "http://www.example.com/?search=