THE WORLD'S LARGEST WEB DEVELOPER SITE

PHP7 Tutorial

PHP7 HOME PHP7 Intro PHP7 Install PHP7 Syntax PHP7 Variables PHP7 Echo / Print PHP7 Data Types PHP7 Strings PHP7 Constants PHP7 Operators PHP7 If...Else...Elseif PHP7 Switch PHP7 While Loops PHP7 For Loops PHP7 Functions PHP7 Arrays PHP7 Sorting Arrays PHP7 Superglobals

PHP7 Forms

PHP7 Form Handling PHP7 Form Validation PHP7 Form Required PHP7 Form URL/E-mail PHP7 Form Complete

PHP7 Advanced

PHP7 Arrays Multi PHP7 Date and Time PHP7 Include PHP7 File Handling PHP7 File Open/Read PHP7 File Create/Write PHP7 File Upload PHP7 Cookies PHP7 Sessions PHP7 Filters PHP7 Filters Advanced

MySQL Database

MySQL Database MySQL Connect MySQL Create DB MySQL Create Table MySQL Insert Data MySQL Get Last ID MySQL Insert Multiple MySQL Prepared MySQL Select Data MySQL Delete Data MySQL Update Data MySQL Limit Data

PHP7 XML

PHP7 XML Parsers PHP7 SimpleXML Parser PHP7 SimpleXML - Get PHP7 XML Expat PHP7 XML DOM

PHP7 - AJAX

AJAX Intro AJAX PHP AJAX Database AJAX XML AJAX Live Search AJAX Poll

PHP7 Reference

PHP7 Overview PHP7 Array PHP7 Calendar PHP7 Date PHP7 Directory PHP7 Error PHP7 Filesystem PHP7 Filter PHP7 FTP PHP7 Libxml PHP7 Mail PHP7 Math PHP7 Misc PHP7 MySQLi PHP7 Network PHP7 SimpleXML PHP7 Stream PHP7 String PHP7 XML Parser PHP7 Zip PHP7 Timezones

PHP 7 Filters


Validating data = Determine if the data is in proper form.

Sanitizing data = Remove any illegal character from the data.


The PHP Filter Extension

PHP filters are used to validate and sanitize external input.

The PHP filter extension has many of the functions needed for checking user input, and is designed to make data validation easier and quicker.

The filter_list() function can be used to list what the PHP filter extension offers:

Example

<table>
  <tr>
    <td>Filter Name</td>
    <td>Filter ID</td>
  </tr>
  <?php
  foreach (filter_list() as $id =>$filter) {
      echo '<tr><td>' . $filter . '</td><td>' . filter_id($filter) . '</td></tr>';
  }
  ?>
</table>
Try it Yourself »

Why Use Filters?

Many web applications receive external input. External input/data can be:

  • User input from a form
  • Cookies
  • Web services data
  • Server variables
  • Database query results

You should always validate external data!
Invalid submitted data can lead to security problems and break your webpage!
By using PHP filters you can be sure your application gets the correct input!



PHP filter_var() Function

The filter_var() function both validate and sanitize data.

The filter_var() function filters a single variable with a specified filter. It takes two pieces of data:

  • The variable you want to check
  • The type of check to use

Sanitize a String

The following example uses the filter_var() function to remove all HTML tags from a string:

Example

<?php
$str = "<h1>Hello World!</h1>";
$newstr = filter_var($str, FILTER_SANITIZE_STRING);
echo $newstr;
?>
Try it Yourself »

Validate an Integer

The following example uses the filter_var() function to check if the variable $int is an integer. If $int is an integer, the output of the code below will be: "Integer is valid". If $int is not an integer, the output will be: "Integer is not valid":

Example

<?php
$int = 100;

if (!filter_var($int, FILTER_VALIDATE_INT) === false) {
    echo("Integer is valid");
} else {
    echo("Integer is not valid");
}
?>
Try it Yourself »

Tip: filter_var() and Problem With 0

In the example above, if $int was set to 0, the function above will return "Integer is not valid". To solve this problem, use the code below:

Example

<?php
$int = 0;

if (filter_var($int, FILTER_VALIDATE_INT) === 0 || !filter_var($int, FILTER_VALIDATE_INT) === false) {
    echo("Integer is valid");
} else {
    echo("Integer is not valid");
}
?>
Try it Yourself »

Validate an IP Address

The following example uses the filter_var() function to check if the variable $ip is a valid IP address:

Example

<?php
$ip = "127.0.0.1";

if (!filter_var($ip, FILTER_VALIDATE_IP) === false) {
    echo("$ip is a valid IP address");
} else {
    echo("$ip is not a valid IP address");
}
?>
Try it Yourself »

Sanitize and Validate an Email Address

The following example uses the filter_var() function to first remove all illegal characters from the $email variable, then check if it is a valid email address:

Example

<?php
$email = "john.doe@example.com";

// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);

// Validate e-mail
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
    echo("$email is a valid email address");
} else {
    echo("$email is not a valid email address");
}
?>
Try it Yourself »

Sanitize and Validate a URL

The following example uses the filter_var() function to first remove all illegal characters from a URL, then check if $url is a valid URL:

Example

<?php
$url = "https://www.w3schools.com";

// Remove all illegal characters from a url
$url = filter_var($url, FILTER_SANITIZE_URL);

// Validate url
if (!filter_var($url, FILTER_VALIDATE_URL) === false) {
    echo("$url is a valid URL");
} else {
    echo("$url is not a valid URL");
}
?>
Try it Yourself »

Complete PHP Filter Reference

For a complete reference of all filter functions, go to our complete PHP Filter Reference. Check each filter to see what options and flags are available.

The reference contains a brief description, and examples of use, for each function!