PHP Filters: How to use filters for Validation & Sanitization & More

Here we are going to learn What is PHP Filters, Why we use Filters, How to use Filters to validate, sanitize, and more.

What is Filters in PHP

The filters are used when the data provided is unpredictable but when want to register it in the proper form.

Data input by users is a more practical example where we generally use PHP filters.

Suggested: PHP Session

For Example, we create a Form using PHP and HTML for a website.

If we didn’t apply filters users could input anything in any field which we really do not want.

To fix this problem we could use PHP filters to validate and warn users before submitting or/and Sanitize the data they submit to a more accurate form.

There are two kinds of filters are available in PHP-

  • Validation Filters: This kind of filters are used to validate that data is in the proper form.
  • Sanitizer Filters: While Validation filter only validate data the sanitizer filter would remove any illegal caracterf from our data.

Why we use PHP Filters?

We use filters to validate or sanitize the data that we received.

Filters are used for data that is unpredictable.

We use filters for External input data like User input, Cookies, Database query results, Web services data, and so on.

We should always validate external data since using it would solve most of the security problems.

Using filters you would not only make sure that data is desired format but sanitize it if necessary.

How to Use filters?

As mentioned earlier here that we have two kinds of PHP filters first is for Validation and the second one is for sanitizing the data.

For both purposes, we use the function filter_var().

What we want to do with data is defined by the second parameter filter extension.

Depending on the type of data we have a list of different filter extensions that we can use.

PHP filter_var() function

The Function filter_var() is used for both validating and sanitizing our data.

This function basically needs two parameters to function-

  • First is Variable that you want to check. We assign our data to this variable and then put in the function.
  • Second parameter is PHP filter extention, It is the type of check that we want to use.

How to Sanitize a string?

Here is the Simple case of a PHP filter where we are going to sanitize a string:

<?php

// Assigning variable to our Data: 
$myData = "<h1>Howdy Partner!</h1>"
    
// Applying filter to sanitize string:
$finalString = filter_var($myData, FILTER_SANITIZE_STRING);
   

// Print sanitized data
echo $newstr;

?>

How to Validate an Integer?

We have seen how to sanitize a string, here is how you can validate an Integer using PHP Filter:

 <?php
$myNumber = 100;

if (!filter_var($myNumber, FILTER_VALIDATE_INT) === false) {
  echo("This number is valid");
} else {
  echo("This number is not valid");
}
?> 

Working with 0

This filter would work only if the given integer is not 0.

If it’s 0 or equal to zero you would see a message that the integer is not valid, which is not exactly true.

To solve this problem instead of setting up only one condition we can use two conditions.

The code would go something like this:

 <?php
$int = 0;

if (filter_var($int, FILTER_VALIDATE_INT) === 0 || !filter_var($int, FILTER_VALIDATE_INT) === false) {
  echo("Integer is valid");
} else {
  echo("Integer is not valid");
}
?> 

How to Validate an IP address

If you have to validate an IP address, here is how we can do it:

$ip = "127.0.0.1";

if (!filter_var($ip, FILTER_VALIDATE_IP) === false) {
  echo("$ip is a valid IP address");
} else {
  echo("$ip is not a valid IP address");
}

How to Sanitize & Validate a eMail address

If you want only the eMail address and remove all illegal characters from the eMail string, here is how we do it:

$email = "[email protected]";

// Remove all illegal characters from email
$email = filter_var($email, FILTER_SANITIZE_EMAIL);

// Validate e-mail
if (!filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
  echo("$email is a valid email address");
} else {
  echo("$email is not a valid email address");
}

Suggested: PHP Cookies: What is, How to Create, Modify, Retrieve & Delete?

Sanitize and Validate a URL

Similar to validating and sanitizing email we also have a PHP filter extension for sanitizing and validating a URL.

Here is how we can Validate and Sanitize URLs in the PHP:

$url = "https://rahulbodana.com";

// Remove all illegal characters from a url
$url = filter_var($url, FILTER_SANITIZE_URL);

// Validate url
if (!filter_var($url, FILTER_VALIDATE_URL) === false) {
  echo("$url is a valid URL");
} else {
  echo("$url is not a valid URL");
}

Advance PHP Filters

Sometimes and with some type of data, PHP filter extensions are not alone enough.

In those cases, we combine a few other conditions with our filter_var() to create a good filter.

Validate an Integer within a Range

Using filter_var() the function we can check that variable is an integer and belong to a given range of number.

Here is How we can Validate an Integer within a range:

$int = 12;
$min = 1;
$max = 20;

if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {
  echo("Variable value is not within the legal range");
} else {
  echo("Variable value is within the legal range");
}

Validate IPv6 Address

Here is another example, here we can see how we can validate the IPv6 address:

$ip = "2001:0db8:85a3:08d3:1319:8a2e:0370:7334";

if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {
  echo("$ip is a valid IPv6 address");
} else {
  echo("$ip is not a valid IPv6 address");
}

That’s not all PHP filters, PHP has tons of other filters as well.

You can check all of the PHP filter extensions and functions on – https://www.w3schools.com/php/php_ref_filter.asp.

Leave a Comment