Sanitizing and validating user input is crucial in web applications. PHP provides a native filter extension to make this task simpler, allowing you to sanitize or validate data like email addresses, URLs, IP addresses, and more.
To validate data using the filter extension, you can use PHP's filter_var()
function. The basic syntax for this function is:
This function accepts three parameters, with the last two being optional. The first parameter is the value to be filtered, the second is the filter's ID to apply, and the third is an array of filter-related options. Let's see it in action.
Here is an example that sanitizes a string by stripping all HTML tags from it:
<?php
// Sample user comment
$comment = "<h1>Hey there! How are you doing today?</h1>";
// Sanitize and print comment string
$sanitizedComment = filter_var($comment, FILTER_SANITIZE_STRING);
echo $sanitizedComment;
?>
The output of the above example will be:
The example below checks if a value is a valid integer.
<?php
// Sample integer value
$int = 20;
// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT)){
echo "The <b>$int</b> is a valid integer";
} else{
echo "The <b>$int</b> is not a valid integer";
}
?>
In the example above, if the variable $int
is set to 0, the code will display an invalid integer message. To resolve this, you need to specifically check for the value 0, as shown below:
<?php
// Sample integer value
$int = 0;
// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT) === 0 || filter_var($int, FILTER_VALIDATE_INT)){
echo "The <b>$int</b> is a valid integer";
} else{
echo "The <b>$int</b> is not a valid integer";
}
?>
The example below checks if the value is a valid IP address.
<?php
// Sample IP address
$ip = "172.16.254.1";
// Validate sample IP address
if(filter_var($ip, FILTER_VALIDATE_IP)){
echo "The <b>$ip</b> is a valid IP address";
} else {
echo "The <b>$ip</b> is not a valid IP address";
}
?>
You can also specify validation for IPV4 or IPV6 addresses using the FILTER_FLAG_IPV4
or FILTER_FLAG_IPV6
flags. Here’s an example:
<?php
// Sample IP address
$ip = "172.16.254.1";
// Validate sample IP address
if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)){
echo "The <b>$ip</b> is a valid IPV6 address";
} else {
echo "The <b>$ip</b> is not a valid IPV6 address";
}
?>
This example demonstrates how to sanitize and validate an email address.
<?php
// Sample email address
$email = "someone@@example.com";
// Remove all illegal characters from email
$sanitizedEmail = filter_var($email, FILTER_SANITIZE_EMAIL);
// Validate email address
if($email == $sanitizedEmail && filter_var($email, FILTER_VALIDATE_EMAIL)){
echo "The $email is a valid email address";
} else{
echo "The $email is not a valid email address";
}
?>
Note: The FILTER_SANITIZE_EMAIL
filter strips out any invalid characters from the given email address, keeping only letters, numbers, and !#$%&'*+-=?^_`{|}~@.[]
.
The following example will demonstrate how to clean and check a URL for validity.
<?php
// Sample website url
$url = "http:://www.example.com";
// Remove all illegal characters from url
$sanitizedUrl = filter_var($url, FILTER_SANITIZE_URL);
// Validate website url
if($url == $sanitizedUrl && filter_var($url, FILTER_VALIDATE_URL)){
echo "The $url is a valid website url";
} else{
echo "The $url is not a valid website url";
}
?>
Note: The FILTER_SANITIZE_URL
filter eliminates any invalid characters from the provided URL string, leaving only letters, digits, and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=
.
You can also verify if a URL contains a query string by utilizing the FILTER_FLAG_QUERY_REQUIRED
flag, illustrated in the example below:
<?php
// Sample website url
$url = "http://www.example.com?topic=filters";
// Validate website url for query string
if(filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED)){
echo "The <b>$url</b> contains query string";
} else{
echo "The <b>$url</b> does not contain query string";
}
?>
Refer to the tutorial on HTML URL to understand the various components of a URL.
The next example checks if a given value is an integer and also verifies if it falls within the range of 0 to 100.
<?php
// Sample integer value
$int = 75;
// Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range" => 0,"max_range" => 100)))){
echo "The <b>$int</b> is within the range of 0 to 100";
} else{
echo "The <b>$int</b> is not within the range of 0 to 100";
}
?>