PHP Filter is an extension that filters the data by either sanitizing or validating it. It plays a crucial role in security of a website, especially useful when the data originates from unknown or foreign sources, like user supplied input. For example data from a HTML form.
There are mainly two types of filters which are listed below:
- Validation: is used to validate or check if the data meets certain qualifications or not. For example, passing in FILTER_VALIDATE_URL will determine if the data is a valid url, but it will not change the existing data by itself.
- Sanitization: unlike validation, sanitization will sanitize data so as to ensure that no undesired characters by removing or altering the data. For example passing in FILTER_SANITIZE_EMAIL will remove all the characters that are inappropriate for an email address to contain. That said, it does not validate the data.
Example 1: PHP program to validate URL using FILTER_VALIDATE_URL filter.
Example 2: PHP program to validate email using FILTER_VALIDATE_EMAIL filter.
Filter Functions: The filter function is used to filter the data coming from insecure source.
- filter_var(): Filters a specific variable
- filter_var_array():Filters multiple variable i.e. array of variable
- filter_has_var(): Check if the variable of specific input type exists or not
- filter_id():helps to get filter id of the specified filter name
- filter_list():Returns a list of supported filter name in the form of array.
- filter_input():Gets an external variable and filters it if set to do so.
- filter_input_array():same as filter_input() but here Gets multiple variables i.e. array of variable and filters them if set to do so.
Predefined Filter Constants: There are many predefined filter constants which are listed below:
- Validate filter constants:
- FILTER_VALIDATE_BOOLEAN: Validates a boolean
- FILTER_VALIDATE_INT: Validates an integer
- FILTER_VALIDATE_FLOAT: Validates a float
- FILTER_VALIDATE_REGEXP: Validates a regular expression
- FILTER_VALIDATE_IP: Validates an IP address
- FILTER_VALIDATE_EMAIL: Validates an e-mail address
- FILTER_VALIDATE_URL: Validates an URL
- Sanitize filter constants:
- FILTER_SANITIZE_EMAIL: Removes all illegal characters from an e-mail address
- FILTER_SANITIZE_ENCODED: Removes/Encodes special characters
- FILTER_SANITIZE_MAGIC_QUOTES: Apply addslashes() function
- FILTER_SANITIZE_NUMBER_FLOAT: Remove all characters, except digits, +- and optionally ., eE
- FILTER_SANITIZE_NUMBER_INT: Removes all characters except digits and + –
- FILTER_SANITIZE_SPECIAL_CHARS: Removes special characters
- FILTER_SANITIZE_FULL_SPECIAL_CHARS Encoding quotes can be disabled by using FILTER_FLAG_NO_ENCODE_QUOTES.
- FILTER_SANITIZE_STRING : Removes tags/special characters from a string
- FILTER_SANITIZE_STRIPPED : Alias of FILTER_SANITIZE_STRING
- FILTER_SANITIZE_URL: Removes all illegal character from s URL
- Other filter constants:
- FILTER_UNSAFE_RAW :Do nothing, optionally strip/encode special characters
- FILTER_CALLBACK :Call a user-defined function to filter data
Note: PHP filters are enabled by defaults in PHP 5.2.0 and newer versions. Installation requires for older versions.