In real-world applications, you often need to validate dozens of input fields from a form ($_POST) or a URL ($_GET). Manually calling filter_input() for every single field is tedious and error-prone.
Schematic Validation allows you to define a single array (the schema) that maps every input field name to its required validation and sanitization rules. This schema is then processed all at once by the filter_input_array() function.
1. Defining the Schema Array
The schema array is an associative array where:
- Key: The name of the input field (e.g.,
'username','email'). - Value: An array defining the rules for that field.
The rule array typically includes:
| Key | Purpose | Example Value |
filter | The main filter to apply (e.g., FILTER_VALIDATE_EMAIL). | FILTER_SANITIZE_STRING |
flags | Options for the filter (e.g., FILTER_FLAG_IPV6 for IP addresses). | FILTER_NULL_ON_FAILURE |
options | Constraints like minimum/maximum values (for integers). | array('min_range' => 18) |
2. The filter_input_array() Function
This function takes the external input type and the schema array and returns an array of results where every field has been processed.
| Syntax | Description |
filter_input_array(type, definition) | Filters all variables from the specified input type (INPUT_POST or INPUT_GET) based on the provided schema. |
Example: Advanced Form Validation Schema
Let’s validate a registration form containing a username, email, and age.
<?php
// Define the validation and sanitization rules
$form_schema = array(
// 1. Username: Required, sanitize HTML tags and illegal characters
'username' => array(
'filter' => FILTER_SANITIZE_STRING,
'flags' => FILTER_FLAG_NO_ENCODE_QUOTES
),
// 2. Email: Validate format, and clean up any illegal characters if valid
'user_email' => FILTER_VALIDATE_EMAIL, // Simple validation shorthand
// 3. Age: Validate that it's an integer within a specific range
'age' => array(
'filter' => FILTER_VALIDATE_INT,
'options' => array(
'min_range' => 18,
'max_range' => 99
)
),
// 4. Checkbox (example of boolean): Sanitize as a boolean value
'newsletter_optin' => FILTER_VALIDATE_BOOLEAN
);
// Apply the schema to the entire POST request
// $filtered_data will contain an array with the results
$filtered_data = filter_input_array(INPUT_POST, $form_schema);
if ($filtered_data) {
echo "Processing results:<br>";
// Check for validation failures (e.g., email or age was invalid)
if ($filtered_data['user_email'] === false) {
echo "Error: Invalid email format.<br>";
}
if ($filtered_data['age'] === false) {
echo "Error: Age must be between 18 and 99.<br>";
}
// If successful, data is safe to use:
$username = $filtered_data['username'];
// ... proceed to save to database
}
?>
Note: If a validation filter fails (e.g., invalid email), the value in the
$filtered_dataarray will beFALSE. If a field was not present in the POST request, the value will beNULL.
3. Using Flags for Advanced Control
Flags allow you to fine-tune validation behavior:
| Flag Constant | Purpose | Use Case |
FILTER_NULL_ON_FAILURE | Returns NULL instead of FALSE on failure (can be cleaner for error checks). | When you want to distinguish between “not present” (NULL) and “invalid” (FALSE). |
FILTER_FLAG_IPV6 | Used with FILTER_VALIDATE_IP to specifically validate an IPv6 address. | Restricting IP address submissions to the newer standard. |
FILTER_FLAG_ALLOW_SPACE | Used with string sanitization to allow spaces (default behavior). | Ensuring spaces are preserved when stripping tags. |
Example: Validating an IP Address
<?php
$schema = array(
'ip_address' => array(
'filter' => FILTER_VALIDATE_IP,
'flags' => FILTER_FLAG_IPV4 // Only allow IPv4 format
)
);
$_POST['ip_address'] = '192.168.1.1';
$result = filter_input_array(INPUT_POST, $schema);
if ($result['ip_address']) {
echo "IP Address validated as IPv4: " . $result['ip_address'];
} else {
echo "Invalid IP format or not IPv4.";
}
?>
