PHP Filters

Validating and Sanitizing Data with Filters

Sanitizing and validating user input is crucial in web applications. PHP provides a native filter extension to make this task simpler, allowing you to sanitize or validate data like email addresses, URLs, IP addresses, and more.

To validate data using the filter extension, you can use PHP's filter_var() function. The basic syntax for this function is:

filter_var(variable, filter, options)

This function accepts three parameters, with the last two being optional. The first parameter is the value to be filtered, the second is the filter's ID to apply, and the third is an array of filter-related options. Let's see it in action.

Sanitize a String

Here is an example that sanitizes a string by stripping all HTML tags from it:

<?php
// Sample user comment
$comment = "<h1>Hey there! How are you doing today?</h1>";

// Sanitize and print comment string
$sanitizedComment = filter_var($comment, FILTER_SANITIZE_STRING);
echo $sanitizedComment;
?>

The output of the above example will be:

Hey there! How are you doing today?

Validate Integer Values

The example below checks if a value is a valid integer.

<?php
// Sample integer value
$int = 20;

// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT)){
echo "The <b>$int</b> is a valid integer";
} else{
echo "The <b>$int</b> is not a valid integer";
}
?>

In the example above, if the variable $int is set to 0, the code will display an invalid integer message. To resolve this, you need to specifically check for the value 0, as shown below:

<?php
// Sample integer value
$int = 0;

// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT) === 0 || filter_var($int, FILTER_VALIDATE_INT)){
echo "The <b>$int</b> is a valid integer";
} else{
echo "The <b>$int</b> is not a valid integer";
}
?>

Validate IP Addresses

The example below checks if the value is a valid IP address.

<?php
// Sample IP address
$ip = "172.16.254.1";

// Validate sample IP address
if(filter_var($ip, FILTER_VALIDATE_IP)){
echo "The <b>$ip</b> is a valid IP address";
} else {
echo "The <b>$ip</b> is not a valid IP address";
}
?>

You can also specify validation for IPV4 or IPV6 addresses using the FILTER_FLAG_IPV4 or FILTER_FLAG_IPV6 flags. Here’s an example:

<?php
// Sample IP address
$ip = "172.16.254.1";

// Validate sample IP address
if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)){
echo "The <b>$ip</b> is a valid IPV6 address";
} else {
echo "The <b>$ip</b> is not a valid IPV6 address";
}
?>

Sanitize and Validate Email Addresses

This example demonstrates how to sanitize and validate an email address.

<?php
// Sample email address
$email = "someone@@example.com";

// Remove all illegal characters from email
$sanitizedEmail = filter_var($email, FILTER_SANITIZE_EMAIL);

// Validate email address
if($email == $sanitizedEmail && filter_var($email, FILTER_VALIDATE_EMAIL)){
echo "The $email is a valid email address";
} else{
echo "The $email is not a valid email address";
}
?>

Note: The FILTER_SANITIZE_EMAIL filter strips out any invalid characters from the given email address, keeping only letters, numbers, and !#$%&'*+-=?^_`{|}~@.[].


Sanitize and Validate URLs

The following example will demonstrate how to clean and check a URL for validity.

<?php
// Sample website url
$url = "http:://www.example.com";

// Remove all illegal characters from url
$sanitizedUrl = filter_var($url, FILTER_SANITIZE_URL);

// Validate website url
if($url == $sanitizedUrl && filter_var($url, FILTER_VALIDATE_URL)){
echo "The $url is a valid website url";
} else{
echo "The $url is not a valid website url";
}
?>

Note: The FILTER_SANITIZE_URL filter eliminates any invalid characters from the provided URL string, leaving only letters, digits, and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

You can also verify if a URL contains a query string by utilizing the FILTER_FLAG_QUERY_REQUIRED flag, illustrated in the example below:

<?php
// Sample website url
$url = "http://www.example.com?topic=filters";

// Validate website url for query string
if(filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED)){
echo "The <b>$url</b> contains query string";
} else{
echo "The <b>$url</b> does not contain query string";
}
?>

Refer to the tutorial on HTML URL to understand the various components of a URL.


Validate Integers in a Specified Range

The next example checks if a given value is an integer and also verifies if it falls within the range of 0 to 100.

<?php
// Sample integer value
$int = 75;

// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range" => 0,"max_range" => 100)))){
echo "The <b>$int</b> is within the range of 0 to 100";
} else{
echo "The <b>$int</b> is not within the range of 0 to 100";
}
?>