Filtering Data in PHP - dummies

By Richard Blum

Part of PHP, MySQL & JavaScript All-in-One For Dummies Cheat Sheet

Validating input data is crucial to any PHP application. You don’t want an attacker trying to attack your system by submitting improper form data. Fortunately, the PHP developers have provided some help with that process.

PHP provides several filter functions that allow you to easily check for valid data or sanitize the data if any unwanted data is present. The following table lists the different functions available in the filter family.

The PHP Filter Functions
Function Description
filter_has_var() Checks if a variable of the specified type exists
filter_id() Returns the filter ID of the specified filter
filter_input() Retrieves a value passed by GET, POST, sessions, or cookies and filters it
filter_input_array() Retrieves multiple values passed to the PHP program and filters them
filter_list() Returns a list of supported filters
filter_var() Filters a variable
filter_var_array() Filters a list of variables

These functions allow you to specify a variable to check and the type of check to perform. There are two main groups of filter:

  • Validation: Checks if the specified data is present
  • Sanitation: Checks if the specified data is present and removes it

The following table shows the different validation filters available.

PHP Validation Filters
Filter Description
FILTER_VALIDATE_BOOLEAN Checks for a valid Boolean value
FILTER_VALIDATE_EMAIL Checks for a valid email address
FILTER_VALIDATE_FLOAT Checks for a valid float value
FILTER_VALIDATE_INT Checks for a valid integer value
FILTER_VALIDATE_IP Checks for a valid IP address value
FILTER_VALIDATE_REGEXP Checks for a valid regular expression value
FILTER_VALIDATE_URL Checks for a valid URL string

The validation checks return a TRUE value if the data contains the data type being checked, or a FALSE value if not.

The following table shows the different sanitation filters available.

PHP Sanitation Filters
Filter Description
FILTER_SANITIZE_EMAIL Removes illegal characters from an email address
FILTER_SANITIZE_ENCODED Encodes special characters in the string
FILTER_SANITIZE_MAGIC_QUOTES Apply the addslashes() function
FILTER_SANITIZE_NUMBER_FLOAT Remove all characters, except digits, +, –, and E
FILTER_SANITIZE_NUMBER_INT Removes all characters except digits and + or –
FILTER_SANITIZE_SPECIAL_CHARS Removes any special characters in the string
FILTER_SANITIZE_FULL_SPECIAL_CHARS Same as htmlspecialchars()
FILTER_SANITIZE_STRING Removes HTML tags and special characters from a string
FILTER_SANITIZE_STRIPPED Same as FILTER_SANITIZE_STRING
FILTER_SANITIZE_URL Removes all illegal characters from a URL string

You can combine both the sanitizing and validating features in your code to ensure the data you receive from an HTML form is valid:

$address = $_POST['email'];

$address = filter_var($address, FILTER_SANITIZE_EMAIL);

if (!filter_var($address, FILTER_VALIDATE_EMAIL)) {

echo "<h2>Sorry, you have entered an incorrect address</h2";

} else {

echo "<h2>Thank you for submitting your data</h2>";

}

Using the PHP filter functions will help you safely process any type of input data received in your application HTML forms.