Lunarcafe Does Filters

Sanitizing &Validating Input Using filter_var

Method

Make sure the variable is defined $email = "johndoe@doe.com"

This is one method $email = filter_var($email, FILTER_VALIDATE_EMAIL); Sanitize could have been used instead of validate

Using an Array

Create your array $options = array('min_range' => 1, 'max_range' => 10);. Must use min_range and max_range BTW

Then address your array in the validation script $integer = filter_var($integer,FILTER_VALIDATE_INT, $options); The script will then turn true/false on whatever your variable $integer is if($integer == TRUE) { do some code here};

Flags

Make sure the variable is defined $ip_address = "122.154.91.62";

Create the script $ip_address = filter_var($ip_address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4); As the table below shows, FILTER_FLAG_IPV4 validates a normal IP address

There are a few more examples below

Print table

Filter	Flag	Explantion
FILTER_SANITIZE_STRING		This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters.
	FILTER_FLAG_NO_ENCODE_QUOTES	This flag does not encode quotes
	FILTER_FLAG_STRIP_LOW	Strip characters with ASCII value below 32
	FILTER_FLAG_STRIP_HIGH	Strip characters with ASCII value above 127
	FILTER_FLAG_ENCODE_LOW	Encode characters with ASCII value below 32
	FILTER_FLAG_ENCODE_HIGH	Encode characters with ASCII value above 127
	FILTER_FLAG_ENCODE_AMP	Encode the & character to &
	FILTER_SANITIZE_STRIPPED	Alias to the FILTER_SANITIZE_STRING, shown above.
FILTER_SANITIZE_ENCODED		Filter strips or URL-encodes unwanted characters. Similar to urlencode(). Optional flags available:
	FILTER_FLAG_STRIP_LOW	Strip characters with ASCII value below 32
	FILTER_FLAG_STRIP_HIGH	Strip characters with ASCII value above 32
	FILTER_FLAG_ENCODE_LOW	Encode characters with ASCII value below 32
	FILTER_FLAG_ENCODE_HIGH	Encode characters with ASCII value above 32
FILTER_SANITIZE_SPECIAL_CHARS:		HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
	FILTER_FLAG_STRIP_LOW	Strip characters with ASCII value below 32
	FILTER_FLAG_STRIP_HIGH	Strip characters with ASCII value above 32
	FILTER_FLAG_ENCODE_HIGH	Encode characters with ASCII value above 32
FILTER_SANITIZE_EMAIL		Remove all characters except letters, digits and !#$%&'*+-/=?^_`{\|}~@.[].
FILTER_SANITIZE_URL		Remove all characters except letters, digits and $-_.+!*'(),{}\|\\^~[]`<>#%";/?:@&=.
FILTER_SANITIZE_NUMBER_INT		Filter removes all illegal characters from a number
FILTER_SANITIZE_NUMBER_FLOAT		Filter removes all illegal characters from a float number
FILTER_SANITIZE_MAGIC_QUOTES		Filter performs the addslashes() function to a string.
FILTER_VALIDATE_INT		Validates value as integer.
	min_range	specifies the minimum integer value
	max_range	specifies the maximum integer value
	FILTER_FLAG_ALLOW_OCTAL	allows octal number values
	FILTER_FLAG_ALLOW_HEX	allows hexadecimal number values
FILTER_VALIDATE_BOOLEAN		Validates value as a boolean option
FILTER_VALIDATE_FLOAT		Validates value as a float number.
FILTER_VALIDATE_REGEXP		Validates value against a Perl-compatible regular expression var_dump(filter_var($string, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^M(.*)/"))))
FILTER_VALIDATE_URL		Validates value as an URL
	FILTER_FLAG_SCHEME_REQUIRED	Requires URL to be an RFC compliant URL (like http://example)
	FILTER_FLAG_HOST_REQUIRED	Requires URL to include host name (like http://www.example.com)
	FILTER_FLAG_PATH_REQUIRED	Requires URL to have a path after the domain name (like www.example.com/example1/test2/
	FILTER_FLAG_QUERY_REQUIRED	Requires URL to have a query string (like example.php?name=Peter&age=37?)
FILTER_VALIDATE_EMAIL		Validates value as an e-mail address.
FILTER_VALIDATE_IP		Validates value as an IPv4 or IPv6 address.
	FILTER_FLAG_IPV4	Requires the value to be a valid IPv4 IP (like 255.255.255.255)
	FILTER_FLAG_IPV6	Requires the value to be a valid IPv6 IP (like 2001:0db8:85a3:08d3:1319:8a2e:0370:7334)
	FILTER_FLAG_NO_PRIV_RANGE	Requires the value to be a RFC specified IP, not within a private range (like 192.168.0.1, 10.0.0.1,
	FILTER_FLAG_NO_RES_RANGE	Requires that the value is not within the reserved IP range. This flag takes both IPV4 and IPV6 values. A reserved IP could be 255.255.255.255 (broadcast address).

Filter Examples

$email = filter_var($email, FILTER_VALIDATE_EMAIL) returns true/false	$ip = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4;)
$email = filter_var($email, FILTER_SANITISE_EMAIL)	$string = filter_var($string, FILTER_SANITISE_STRING, FILTER_FLAG_STRIP_HIGH);
$url = filter_var($url, FILTER_VALIDATE_URL);	$string = filter_var($string, FILTER_VALIDATE_REGEXP, array("options"=>array("regexp"=>"/^M(.*)/")))
$number = filter_var($number, FILTER_SANITIZE_NUMBER_INT);	$int_options = array("options"=> array("min_range"=>0, "max_range"=>256)); $int = filter_var($int, FILTER_VALIDATE_INT, $int_options)

PHP Filters are a very powerful yet very easy method to use to validate or sanitise form data prior to entering a database. It takes a minimum of code to produce an excellent method of protecting your database.

Notice you can use an array or regex within a formula to determine what gets validated or what values are required. Validations return TRUE/FALSE, Sanitatize returns an action that cleans or removes unwanted characters.

Using filter_var in many cases is a good way of not having to use Regex to validate form input. For instance, it can be used to strip harmful tags out of strings, validate IP address's and numbers. You can validate URL's that need regex's 2 miles long. This is an excellent way to shorten your code and be every bit as effective. Remember if you use SANITIZE_STRING to santize posts or long paragraphs it will strip out any HTML you may have within such as links.