Learn FILTERS in PHP for Best Security Performance

3 comments
Today we will learn about a less used but powerful feature of PHP: the FILTERS. This extension filters data by either validating or sanitizing it. This is especially useful when the data source contains unknown (or foreign) data, like user supplied input. For example, this data may come from an HTML form.
There are two main types of filtering: validation and sanitization.
Validation is used to validate or check if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address, but will not change the data itself.
Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data.
Source: PHP.net
Note: FILTER is available only in PHP version 5.2 or later.

Types of filters:
  • Validate filters
  • Sanitize filters
  • Other filters
  • Filter flags
Validate Filters:
FILTER_VALIDATE_BOOLEAN: Returns TRUE for "1", "true", "on" and "yes". Returns FALSE otherwise.
FILTER_VALIDATE_EMAIL: Validates value as e-mail.
FILTER_VALIDATE_FLOAT: Validates value as float.
FILTER_VALIDATE_INT: Validates value as integer, optionally from the specified range.
FILTER_VALIDATE_IP: Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
FILTER_VALIDATE_REGEXP: Validates value against regexp, a Perl-compatible regular expression.
FILTER_VALIDATE_URL: Validates value as URL.

Examples:
Validating Email address:
<?php
$email_a = 'foo@foo.com';
$email_b = 'invalid@email';

if (filter_var($email_a, FILTER_VALIDATE_EMAIL)) {
echo "This ($email_a) email address is valid.";
}else{
echo "This ($email_a) email address is invalid.";
}
if (filter_var($email_b, FILTER_VALIDATE_EMAIL)) {
echo "This ($email_b) email address is valid.";
}else{
echo "This ($email_b) email address is invalid.";
}

//Output
This (foo@foo.com) email address is valid.
This (invalid@email) email address is invalid.
?>

Validating IP address:
<?php
$ip_a = '127.0.0.1';
$ip_b = '52.69';

if (filter_var($ip_a, FILTER_VALIDATE_IP)) {
echo "This ($ip_a) IP address is valid.";
}else{
echo "This ($ip_a) IP address is invalid.";
}
if (filter_var($ip_b, FILTER_VALIDATE_IP)) {
echo "This ($ip_b) IP address is valid.";
}else{
echo "This ($ip_b) IP address is invalid.";
}

//Output:
This (127.0.0.1) IP address is valid.
This (52.69) IP address is invalid.
?>

Sanitize filters:
FILTER_SANITIZE_EMAIL: Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].
FILTER_SANITIZE_ENCODED: URL-encode string, optionally strip or encode special characters.
FILTER_SANITIZE_MAGIC_QUOTES: Apply addslashes().
FILTER_SANITIZE_NUMBER_FLOAT: Remove all characters except digits, +- and optionally .,eE.
FILTER_SANITIZE_NUMBER_INT: Remove all characters except digits, plus and minus sign.
FILTER_SANITIZE_SPECIAL_CHARS: HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
FILTER_SANITIZE_STRING: Strip tags, optionally strip or encode special characters.
FILTER_SANITIZE_STRIPPED: Alias of "FILTER_SANITIZE_STRING" filter.
FILTER_SANITIZE_URL: Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
FILTER_UNSAFE_RAW: Do nothing, optionally strip or encode special characters.

Examples:
<?php
$invalid_email = "(corrupted@-foo dot com)";

if ( !filter_var($sanitized_email, FILTER_VALIDATE_EMAIL) ) {
$sanitized_email = filter_var($invalid_email, FILTER_SANITIZE_EMAIL);
echo "This ($invalid_email) email address is invalid.\n";
echo "Sanitized  Email is:  $sanitized_email\n";    
}

//Output:
This ((corrupted@-foo dot com)) email address is invalid.
Sanitized  Email is:  corrupted@foo.com
?>

Filtering GET & POST Variables:
The filter_input() function gets a specific external variable by name and optionally filters it.
Usage:
mixed filter_input ( int $type , string $variable_name [, int $filter = FILTER_DEFAULT [, mixed $options ]] )
Parameters:
type: One of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV.
variable_name: Name of a variable to get.
filter: The ID of the filter to apply. The Types of filters manual page lists the available filters.
options: Associative array of options or bitwise disjunction of flags. If filter accepts options, flags can be provided in "flags" field of array.

Return Values: Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns FALSE if the variable is not set and NULL if the filter fails.

Example:
<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>

3 comments

I know HTML but I am not that much familiar in PHP filters. What is mean by echo? Is it like printf?

Tired just work - begin to rest right now. Geek in the casino. This is really a beautiful game, as well as earnings. Play it right now.

Excellent post. I used to be checking continuously this blog and I am inspired!
Very useful info particularly the remaining section :
) I maintain such info a lot. I used to be seeking this certain information for a very lengthy
time. Thanks and best of luck.
Look into my site - von uns

We would love to hear from you...

back to top