Latest web development tutorials

PHP filter

PHP filter is used to validate and filter data from insecure sources, such as user input.


What is a PHP Filter?

PHP filter is used to validate and filter data from insecure sources.

Test, validate and filter user input or custom data is an important part of any Web application.

PHP filter extension is designed to make data filtering easier and quicker.


Why use a filter?

Almost all Web applications are dependent on external inputs. These data usually come from users or other applications (such as web services). By using filters, you can ensure that applications get the correct input type.

You should always external data filtering!

Input filtering is the most important application security issues.

What is external data?

  • Input data from a form
  • Cookies
  • Web services data
  • Server Variables
  • Database query results

Functions and Filters

To filter a variable, use one of the following filter functions:

  • filter_var () - to filter a single variable by a specified filter
  • filter_var_array () - to filter multiple variables by the same or different filters
  • filter_input - Get one input variable and filter it
  • filter_input_array - Get more input variables, and by the same or different filters to filter them

In the following example, we use filter_var () function validates an integer:

<?php
$int = 123;

if(!filter_var($int, FILTER_VALIDATE_INT))
{
	echo("不是一个合法的整数");
}
else
{
	echo("是个合法的整数");
}
?>

The above code uses the "FILTER_VALIDATE_INT" filter to filter the variable. Since the integer is legitimate, so the above code will output:

If we try to use a non-integer variable (such as "123abc"), is output: "Integer is not valid".

For a complete list of functions and filters, visit our PHP Filter Reference Manual .


Validating and Sanitizing

There are two kinds of filters:

Validating filters:

  • Used to validate user input
  • Strict format rules (like URL or E-Mail verification)
  • If successful, the expected return type, if it fails to return FALSE

Sanitizing filters:

  • It used to allow or prohibit the specified character string
  • No data format rules
  • Always return the string

Options and flags

Options and flags are used to add additional filtering options to the specified filters.

Different filters have different options and flags.

In the following example, we use filter_var () and "min_range" and "max_range" option to verify an integer:

<?php
$var=300;

$int_options = array(
	"options"=>array
	(
		"min_range"=>0,
		"max_range"=>256
	)
);

if(!filter_var($var, FILTER_VALIDATE_INT, $int_options))
{
	echo("不是一个合法的整数");
}
else
{
	echo("是个合法的整数");
}
?>

Like the code above, as the relevant option must be placed in an array called "options" in. If a flag is not required within the array.

Since the integer is "300", it is not within the specified range, the output of the code above will be:

不是一个合法的整数

For a complete list of functions and filters, visit our PHP Filter Reference Manual . You can see the options available for each filter and flags.


Validating input

Let's try validating input from a form.

We need to do first thing is to confirm that the input data we are looking for.

Then we use filter_input () function to filter the data entered.

In the example below, the input variable "email" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_GET, "email"))
{
	echo("没有 email 参数");
}
else
{
	if (!filter_input(INPUT_GET, "email", FILTER_VALIDATE_EMAIL))
	{
		echo "不是一个合法的 E-Mail";
	}
	else
	{
		echo "是一个合法的 E-Mail";
	}
}
?>

Examples of the above results were as follows:

Examples explained

The example above has an input variable by (email) "GET" method of transfer:

  1. Detecting the presence of "email" input variable "GET" type
  2. If there is an input variable to detect whether it is a valid e-mail address

Purification input

Let's try to clear up coming from a form URL.

First of all, we need to confirm that the input data we are looking for.

Then we sanitize input data filter_input () function.

In the example below, the input variable "url" is passed to the PHP page:

<?php
if(!filter_has_var(INPUT_GET, "url"))
{
	echo("没有 url 参数");
}
else
{
	$url = filter_input(INPUT_GET, 
	"url", FILTER_SANITIZE_URL);
	echo $url;
}
?>

Examples explained

Examples of the above by one input variable (url) "GET" method sent:

  1. Detecting the presence of "url" input variables "GET" type
  2. If the input variable exists, its purification (removing illegal characters), and will store it in the $ url variable

If the input variable is a string like this: "http://www.ruaanoob.com/", the $ url variable after purification is as follows:



A plurality of input filter

Forms often consist of multiple input fields. To avoid filter_var or filter_input function called repeatedly, we can use the filter_input_array filter_var_array or function.

In this case, we use filter_input_array () function to filter three GET variables. Received GET variables is a name, an age and an e-mail address:

<?php
$filters = array
(
	"name" => array
	(
		"filter"=>FILTER_SANITIZE_STRING
	),
	"age" => array
	(
		"filter"=>FILTER_VALIDATE_INT,
		"options"=>array
		(
			"min_range"=>1,
			"max_range"=>120
		)
	),
	"email"=> FILTER_VALIDATE_EMAIL
);

$result = filter_input_array(INPUT_GET, $filters);

if (!$result["age"])
{
	echo("年龄必须在 1 到 120 之间。<br>");
}
elseif(!$result["email"])
{
	echo("E-Mail 不合法<br>");
}
else
{
	echo("输入正确");
}
?>

Examples explained

The above example has three input variables (name, age and email) transmitted through "GET" method:

  1. Set up an array that contains the names of input variables used to specify the input variables and filter
  2. () Function, input parameters, including GET variables and just set array call filter_input_array
  3. Detection $ result variable "age" and "email" input variable is illegal. (If there are illegal input, after use filter_input_array () function, the input variable is FALSE.)

filter_input_array () The second argument to the function can be an array or a single filter ID.

If the parameter is a single filter ID, then the specified filter will filter all the input array values.

If this parameter is an array, the array must comply with the following rules:

  • Must be an associative array containing an input variable is an array key (such as "age" input variable)
  • The value of this array must be a filter ID, or the provisions of the filter, flags and options arrays

Use Filter Callback

By using FILTER_CALLBACK filters, you can call a custom function, use it as a filter to use. Thus, we have complete control over the data filtering.

You can create your own custom function, or you can use an existing PHP functions.

You will be ready to use the filter function, according to the provisions specified options predetermined method. In an associative array with the name "options".

In the following example, we use a custom function of all "_" converted to spaces:

<?php
function convertSpace($string)
{
	return str_replace("_", ".", $string);
}

$string = "www_w3big_com!";

echo filter_var($string, FILTER_CALLBACK,
array("options"=>"convertSpace"));
?>

Result of the above code is the following:

Examples explained

The above examples all "_" into. "":

  1. To create a "_" is replaced by "." Function
  2. Call filter_var () function, which parameters are FILTER_CALLBACK filter and array containing our function