PHP Filter

A filter, rightly named, does exactly that- it filters data, usually received from the end user.

For example, if you have a form that requires a user to input their email address, a filter can accept an email address while not accepting anything that does not look like an email address.

Filters are extremely important when it comes to the security of your server and the proper execution of your code, so you should always use them when possible.

Function Filters

There are a number of different filter functions you can use:

filter_var() – Filters one variable with one filter
filter_input – Gathers one variable, then filters it
filter_var_array() – Filters multiple variables with a single or multiple filters
filter_input_array – Gathers multiple variables, then filters them with a single or multiple filters

Filter_var() Example

We can use the filter_var() filter function to check the validity of an email address:

$email = “yourname@example.com”;

if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE)
{
echo “$email is invalid”;
}
else {
echo “$email is valid”;
}

In the above example, we used the filter_var() function to check that the $email string value equaled “yourname@example.com”.

Filter_input Example

We can take the above example a step further. What if you want to check that an input contains any valid email address, rather than specifying just one set address, we can use the filter_input function to do so:

if(!filter_has_var(INPUT_GET, “email”))
{
echo(“Email does not exist”);
}
else {
if (!filter_input(INPUT_GET, “email”, FILTER_VALIDATE_EMAIL))
{
echo “Email is invalid”;
}
else {
echo “Email is valid”;
}}

In the above example, we have an input named “email”, which we received by using GET.

First we checked to see if email contained a variable. If not, we received the message “Email does not exist”.

If email did contain a variable, we used the filter_input function to check whether or not the email address was valid. If not, we received the message “Email is invalid”. If, after passing through our filter, the email was valid, we received the message “Email is valid”.

We can also use the filter_input function to validate that a number value is within a certain range:

if(filter_input(INPUT_GET, ‘num’, FILTER_VALIDATE_INT, array(“options” => array(“min_range”=>1, “max_range”=>100))) != FALSE)
{
echo $_GET['num'].’ is valid’;
}
else {
echo $_GET['num'].’ is invalid’;
}

In the above example, we used the filter_input function to check that a number was in the range of 1-100. If the number was within range, a “…is valid” message was echoed. If the number was not within range, a “…is invalid” message was echoed.

Sanitizing Data

At times, it may be necessary for us to clean up, or “sanitize” the data after it has been validated. This is especially true if we intend to use it in our script.

Sanitize A URL

We can use FILTER_SANITIZE_URL to remove any invalid characters that we may receive within a URL.

Along with letters and numbers, the following characters are also not removed from the URL:
$ – _ . + ! * ‘ ( ) , { } | ^ ~ [ ] ` > < # % " ; / ? : @ & = .

Here’s an example:

if(!filter_has_var(INPUT_POST, “url”)) {
echo(“URL does not exist”);
}
else {
$url = filter_input(INPUT_POST,
“url”, FILTER_SANITIZE_URL);
}

To reiterate, the above example will remove invalid characters from the given URL by using the filter_input function.