Introduction to PHP Filters
There are very few languages that have filter features. Filters are one of the value-added features of programming languages. This helps us to filter the data or the string before processing. This is the call of the time to use this to prevent some vulnerability issues in the system. PHP filters can be used for the purpose of validating or the sanitizing of the external inputs. Basically, the PHP filter is an extension that comes up with its various functions and the features we can use while coding. For example, we are taking client input from a form as email id, we should validate or sanitize before database related operation. We as a coder or the developer should use these filters in PHP as per our business needs and the requirements.
Syntax
Sanitizing and the filters are the most common operations in the web application environment. Here is the basic syntax:
filter_var(variable, filter, options)This function filter_var takes 3 parameters. The last 2 parameters, filter, and the options are optional. The first one is a variable or the identifiers itself. This is the one, we want to filter, the second is what we want to do (in this basically we pass the ID of the available options in PHP), and the last one is the filter related options. Let’s understand the same with a quiz example:
<?php
$int_val = 200;
if(filter_var($int_val, FILTER_VALIDATE_INT)){
echo "The <b>$int_val</b> is a valid one."; // valid
} else{
echo "The <b>$int_val</b> not a valid input as an integer"; // invalid
}
?>In the above example, we are using a filter and check whether we have an integer value in variable $int_val or not. So, here is the output for the same.
Output:
Why we use Filter in PHP?
Many PHP web applications receive external input from the client-side. The idea behind using this is to clean the user input before processing, as we can’t expect from the user to put all the data correctly. Any external user or system input or data can lead to a critical security issue.
We can filter here to sanitize the data entered from the various external sources like:
4.5 (9,652 ratings)
View Course
- Direct client user input from the form
- Data of Cookies
- Data from the Web services
- Data of the server variables
- Database query results
PHP filters and the sanitizers together enable the ability we can get whether an input is valid or not. If not a valid input, in this case, we can sanitize that to make a valid one. In the coming example section, we will various examples related to this.
Example of Filters in PHP
There are various types of filters available in PHP. We can check that list using the filter_list() function. Basically, these filter functions can be used to filter the URL, String, number, IP address, etc.
Example #1
In this section, we will see the various filter example programs one by one.
Sanitize a String
To check whether a string is valid or not
<?php
$comment = "Hello word";
if(filter_var($comment, FILTER_SANITIZE_STRING)){
echo "The <b>$comment</b> is a valid one."; // valid
} else{
echo "The <b>$comment</b> not a valid input"; // invalid
}
?>In the above example, we can see a valid string that’s why it gives the valid one.
Output:
Get the sanitized string as an output
<?php
$comment = "<i>Hello word</i>";
echo "Before sanitizing: ". $comment;
$comment = filter_var($comment, FILTER_SANITIZE_STRING);
echo "<br>"; // for new line
echo "After sanitizing: ". $comment;
?>We can see we have two different outputs. We can see the output before sanitizing and the after sanitizing is different. After sanitizing, HTML tags have been removed by the PHP filter function.
Output:
Example #2
Validate an IP Address
PHP filter function can do this job for us. Let’s see the example.
<?php
$ip_address = "172.16.254.1:40";
if(filter_var($ip_address, FILTER_VALIDATE_IP)){
echo "The <b>$ip_address</b> is a valid one."; // valid
} else{
echo "The <b>$ip_address</b> is not a valid input"; // invalid
}
?>Output:
Example #3
Sanitizing and validating an email address
<?php
$email_address = "someone@@testmail.com";
code>
echo "Before Sanitizing: " . $email_address ."<br>";
if(filter_var($email_address, FILTER_VALIDATE_EMAIL)){
echo "The <b>$email_address</b> is a valid one."; // valid
} else{
echo "The <b>$email_address</b> not a valid input"; // invalid
}
echo "<br>";
echo "After Sanitizing: " . filter_var($email_address, FILTER_SANITIZE_EMAIL);
?>In the above example, we have an invalid value for the email id as we are getting this output by using the filter function. But the moment we sanitize it gives the correct email.
Output:
<?php
$email_address = "someone@testmail.com";
if(filter_var($email_address, FILTER_VALIDATE_EMAIL)){
echo "The <b>$email_address</b> is a valid one."; // valid
} else{
echo "The <b>$email_address</b> not a valid input"; // invalid
}
?>In the above example PHP code, we are checking whether the email is valid or not.
Output:
Example #4
Sanitize and Validate URL
In this example, we will see whether an input URL is valid or not? If not a valid URL then it will sanitize that to make it correct.
<?php
$URL = "https://www.educba.com/��courses�";
echo "Before Sanitizing: " . $URL ."<br>";
if(filter_var($URL, FILTER_VALIDATE_URL)){
echo "The <b>$URL</b> is a valid one."; // valid
} else{
echo "The <b>$URL</b> is not a valid input"; // invalid
}
echo "<br>";
echo "After Sanitizing: " . filter_var($URL, FILTER_SANITIZE_URL);
?>Output:
Conclusion
We should use the PHP filter to validate or sanitize the user input. This way, we can restrict the vulnerable user input. We can use the various PHP filter function for validating the user inputs and the value. We can also go for sanitizing as well to clean the value (either the user input or the directly assigned). We should always use the PHP sanitizer before using any cookies data for the data processing.
Recommended Articles
This has been a guide to PHP Filters. Here we also discuss the syntax, why we use a filter in PHP and examples. You may also have a look at the following articles to learn more–
