When dealing with data from external sources (user forms, cookies, APIs, etc.), that data is inherently untrusted and must be both sanitized and validated before use.
- Sanitization: Cleaning the data by removing illegal or unwanted characters (e.g., stripping HTML tags from a comment).
- Validation: Checking if the data is in the expected format (e.g., checking if a submission is actually a valid email address).
PHP’s Filter extension provides the filter_var() function, which is the easiest and safest way to perform these tasks.
1. The Core Function: filter_var()
The filter_var() function takes a variable and applies a specified filter to it.
| Syntax | Description |
filter_var(variable, filter_name, options) | Filters the variable according to the specified filter and returns the filtered data or FALSE on failure. |
2. Sanitization Filters (Cleaning Data)
Sanitization filters strip out illegal characters but do not guarantee the data is in the correct format. They are used for cleaning data before display or storage.
| Filter Name | Description | Use Case |
FILTER_SANITIZE_STRING | Removes tags, optionally removes or encodes special chars. Deprecated since PHP 8.1; use htmlspecialchars() instead. | Cleaning text input. |
FILTER_SANITIZE_EMAIL | Removes all illegal email characters (except letters, digits, and specific symbols like @.-_). | Preparing an email address for storage. |
FILTER_SANITIZE_URL | Removes all illegal URL characters. | Cleaning a URL before storing it or using it in a link. |
FILTER_SANITIZE_NUMBER_INT | Removes all characters except digits, plus, and minus signs. | Cleaning a phone number or ID field. |
Example: Sanitizing a Comment
Imagine a user submits a comment containing harmful HTML tags.
<?php
$user_comment = "Hello! I am a **great** user. <script>alert('xss');</script>";
// Recommended Sanitization (since FILTER_SANITIZE_STRING is deprecated):
$safe_comment = htmlspecialchars($user_comment, ENT_QUOTES, 'UTF-8');
echo "Unsafe: " . $user_comment . "<br>";
echo "Safe: " . $safe_comment;
// The <script> tag is now converted to <script> and rendered harmlessly as text.
?>
3. Validation Filters (Checking Format)
Validation filters check if the data strictly adheres to a specific format. If the data is valid, the original data is returned; otherwise, it returns FALSE.
| Filter Name | Description | Returns |
FILTER_VALIDATE_EMAIL | Validates an email address format. | Valid email string or FALSE. |
FILTER_VALIDATE_URL | Validates a URL (must contain scheme like http://). | Valid URL string or FALSE. |
FILTER_VALIDATE_INT | Validates an integer. | Integer value or FALSE. |
FILTER_VALIDATE_FLOAT | Validates a floating-point number. | Float value or FALSE. |
FILTER_VALIDATE_IP | Validates an IP address (IPv4 or IPv6). | Valid IP string or FALSE. |
Example: Validating an Email Address
<?php
$email_a = "user@example.com";
$email_b = "user@@example"; // Invalid format
if (filter_var($email_a, FILTER_VALIDATE_EMAIL)) {
echo "$email_a is a valid email.<br>";
} else {
echo "$email_a is NOT valid.<br>";
}
if (filter_var($email_b, FILTER_VALIDATE_EMAIL)) {
echo "$email_b is a valid email.<br>";
} else {
echo "$email_b is NOT valid.<br>";
}
?>
4. Filtering External Input (Advanced)
While filter_var() handles single variables, the filter_input() family of functions is designed to filter external data sources like $_GET, $_POST, and $_SERVER directly. This is generally cleaner and safer than accessing the superglobals directly.
| Function | Purpose |
filter_input() | Filters a single external variable (e.g., one field from a form). |
filter_input_array() | Filters multiple external variables simultaneously using a defined schema. |
Example: Filtering a POST Variable
<?php
// Safely retrieves the 'user_email' from the POST request and validates it
$user_email = filter_input(INPUT_POST, 'user_email', FILTER_VALIDATE_EMAIL);
// Safely retrieves 'age' and ensures it's an integer
$user_age = filter_input(INPUT_POST, 'age', FILTER_SANITIZE_NUMBER_INT);
if ($user_email === false) {
echo "Error: The email field was invalid.";
} else {
echo "Email validated: $user_email";
}
?>
5. Options and Flags
You can pass an array of options to the filter_var() and filter_input() functions for precise control.
Example: Validating an Integer Range
<?php
$num = 150;
$options = array(
'options' => array(
'min_range' => 10,
'max_range' => 100
)
);
// Checks if $num is an integer AND falls between 10 and 100
if (filter_var($num, FILTER_VALIDATE_INT, $options) === false) {
echo "$num is outside the allowed range (10-100).";
} else {
echo "$num is valid.";
}
// Output: 150 is outside the allowed range (10-100).
?>
