arrows-dumb
arrows-dumb
Sanitizing & Validating Input Using filter_var

Examples at bottom of table

Filter_var Support

Using filter_var in many cases is a good way of not having to use Regex to validate form input. For instance, it can be used to strip harmful tags out of strings, validate IP address's and numbers. You can validate URL's that need regex's 2 miles long. This is an excellent way to shorten your code and be every bit as effective. Remember if you use SANITIZE_STRING to santize posts or long paragraphs it will strip out any HTML you may have within.

Print table
Filter Flag Explantion
FILTER_SANITIZE_STRING This filter removes data that is potentially harmful for your application. It is used to strip tags and remove or encode unwanted characters.
FILTER_FLAG_NO_ENCODE_QUOTES This flag does not encode quotes
FILTER_FLAG_STRIP_LOW Strip characters with ASCII value below 32
FILTER_FLAG_STRIP_HIGH Strip characters with ASCII value above 127
FILTER_FLAG_ENCODE_LOW Encode characters with ASCII value below 32
FILTER_FLAG_ENCODE_HIGH Encode characters with ASCII value above 127
FILTER_FLAG_ENCODE_AMP Encode the & character to &
FILTER_SANITIZE_STRIPPED Alias to the FILTER_SANITIZE_STRING, shown above.
FILTER_SANITIZE_ENCODED Filter strips or URL-encodes unwanted characters. Similar to urlencode(). Optional flags available:
FILTER_FLAG_STRIP_LOW Strip characters with ASCII value below 32
FILTER_FLAG_STRIP_HIGH Strip characters with ASCII value above 32
FILTER_FLAG_ENCODE_LOW Encode characters with ASCII value below 32
FILTER_FLAG_ENCODE_HIGH Encode characters with ASCII value above 32
FILTER_SANITIZE_SPECIAL_CHARS: HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
FILTER_FLAG_STRIP_LOW Strip characters with ASCII value below 32
FILTER_FLAG_STRIP_HIGH Strip characters with ASCII value above 32
FILTER_FLAG_ENCODE_HIGH Encode characters with ASCII value above 32
FILTER_SANITIZE_EMAIL Remove all characters except letters, digits and !#$%&'*+-/=?^_`{|}~@.[].
FILTER_SANITIZE_URL Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
FILTER_SANITIZE_NUMBER_INT Filter removes all illegal characters from a number
FILTER_SANITIZE_NUMBER_FLOAT Filter removes all illegal characters from a float number
FILTER_SANITIZE_MAGIC_QUOTES Filter performs the addslashes() function to a string.
FILTER_VALIDATE_INT Validates value as integer.
min_range specifies the minimum integer value
max_range specifies the maximum integer value
FILTER_FLAG_ALLOW_OCTAL allows octal number values
FILTER_FLAG_ALLOW_HEX allows hexadecimal number values
FILTER_VALIDATE_BOOLEAN Validates value as a boolean option
FILTER_VALIDATE_FLOAT Validates value as a float number.
FILTER_VALIDATE_REGEXP Validates value against a Perl-compatible regular expression
var_dump(filter_var($string, FILTER_VALIDATE_REGEXP,
array("options"=>array("regexp"=>"/^M(.*)/"))))
FILTER_VALIDATE_URL Validates value as an URL
FILTER_FLAG_SCHEME_REQUIRED Requires URL to be an RFC compliant URL (like http://example)
FILTER_FLAG_HOST_REQUIRED Requires URL to include host name (like http://www.example.com)
FILTER_FLAG_PATH_REQUIRED Requires URL to have a path after the domain name (like www.example.com/example1/test2/
FILTER_FLAG_QUERY_REQUIRED Requires URL to have a query string (like “example.php?name=Peter&age=37?)
FILTER_VALIDATE_EMAIL Validates value as an e-mail address.
FILTER_VALIDATE_IP Validates value as an IPv4 or IPv6 address.
FILTER_FLAG_IPV4 Requires the value to be a valid IPv4 IP (like 255.255.255.255)
FILTER_FLAG_IPV6 Requires the value to be a valid IPv6 IP (like 2001:0db8:85a3:08d3:1319:8a2e:0370:7334)
FILTER_FLAG_NO_PRIV_RANGE Requires the value to be a RFC specified IP, not within a private range (like 192.168.0.1, 10.0.0.1,
FILTER_FLAG_NO_RES_RANGE Requires that the value is not within the reserved IP range. This flag takes both IPV4 and IPV6 values. A reserved IP could be 255.255.255.255 (broadcast address).
Filter Example Filter IP 200.31.158.205 $ip = filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4;)
Filter a string(NOTE: a flag is not required unless you are using the filter for specific functions) $string = filter_var($string, FILTER_SANITISE_STRING, FILTER_FLAG_STRIP_HIGH);
Sanitise an email address($mail = goodoff@dot.com)This will strip illegal characters out of the email. $mail = filter_var($mail, FILTER_SANITIZE_EMAIL);
FILTER_VALIDATE_INT(validate as an interger. Note the use of min_range - max_range(again not required, this will validate the interger is between 1 and 100 similar to a regex)). You can use arrays for flag defintion $int_options = array("options"=> array("min_range"=>0, "max_range"=>256));
$int = filter_var($int, FILTER_VALIDATE_INT, $int_options)