PHP | Filter and Filter Constant

PHP Filter is an extension that filters the data by either sanitizing or validating it. It plays a crucial role in security of a website, especially useful when the data originates from unknown or foreign sources, like user supplied input. For example data from a HTML form.

There are mainly two types of filters which are listed below:

• Validation: is used to validate or check if the data meets certain qualifications or not. For example, passing in FILTER_VALIDATE_URL will determine if the data is a valid url, but it will not change the existing data by itself.
• Sanitization: unlike validation, sanitization will sanitize data so as to ensure that no undesired characters by removing or altering the data. For example passing in FILTER_SANITIZE_EMAIL will remove all the characters that are inappropriate for an email address to contain. That said, it does not validate the data.

Example 1: PHP program to validate URL using FILTER_VALIDATE_URL filter.

Example 2: PHP program to validate email using FILTER_VALIDATE_EMAIL filter.

Filter Functions: The filter function is used to filter the data coming from insecure source.

• filter_var(): Filters a specific variable
• filter_var_array():Filters multiple variable i.e. array of variable
• filter_has_var(): Check if the variable of specific input type exists or not
• filter_id():helps to get filter id of the specified filter name
• filter_list():Returns a list of supported filter name in the form of array.
• filter_input():Gets an external variable and filters it if set to do so.
• filter_input_array():same as filter_input() but here Gets multiple variables i.e. array of variable and filters them if set to do so.

Predefined Filter Constants: There are many predefined filter constants which are listed below:

• Validate filter constants:
  • FILTER_VALIDATE_BOOLEAN: Validates a boolean
  • FILTER_VALIDATE_INT: Validates an integer
  • FILTER_VALIDATE_FLOAT: Validates a float
  • FILTER_VALIDATE_REGEXP: Validates a regular expression
  • FILTER_VALIDATE_IP: Validates an IP address
  • FILTER_VALIDATE_EMAIL: Validates an e-mail address
  • FILTER_VALIDATE_URL: Validates an URL
• Sanitize filter constants:
  • FILTER_SANITIZE_EMAIL: Removes all illegal characters from an e-mail address
  • FILTER_SANITIZE_ENCODED: Removes/Encodes special characters
  • FILTER_SANITIZE_MAGIC_QUOTES: Apply addslashes() function
  • FILTER_SANITIZE_NUMBER_FLOAT: Remove all characters, except digits, +- and optionally ., eE
  • FILTER_SANITIZE_NUMBER_INT: Removes all characters except digits and + –
  • FILTER_SANITIZE_SPECIAL_CHARS: Removes special characters
  • FILTER_SANITIZE_FULL_SPECIAL_CHARS Encoding quotes can be disabled by using FILTER_FLAG_NO_ENCODE_QUOTES.
  • FILTER_SANITIZE_STRING : Removes tags/special characters from a string
  • FILTER_SANITIZE_STRIPPED : Alias of FILTER_SANITIZE_STRING
  • FILTER_SANITIZE_URL: Removes all illegal character from s URL
• Other filter constants:
  • FILTER_UNSAFE_RAW :Do nothing, optionally strip/encode special characters
  • FILTER_CALLBACK :Call a user-defined function to filter data

Note: PHP filters are enabled by defaults in PHP 5.2.0 and newer versions. Installation requires for older versions.

Reference: http://php.net/manual/en/filter.filters.sanitize.php