PHP5 Filter Functions Part 1

14th March 2008

The filter functions are part of the PECL library and should come as standard on most PHP 5 installs. If they aren't there then ask your server administrator to install them.

The filter functions where created to avoid developers having to write lots of unmaintainable code in order to check the validity of variables and to sanitize these variables once validated. So rather than using many different functions and regular expressions to tell if a value is a number, a boolean or even a URL, you can just use these filter fucntions.

The main functions that you might be interested in are filter_var() and filter_input(). The filter_var() function is used to validate a single input, the parameters are:

  • Varaible: The variable to be tested.
  • Filter: The filter to test the variable against.
  • Options (optional): Associative array of options or bitwise disjunction of flags.

To use the filter_var() function you just pass it a variable and an appropriate filter. So to test if a variable is a number you just pass in the filter called FILTER_VALIDATE_INT.

  1. $int = 746;
  2. if ( filter_var($int, FILTER_VALIDATE_INT) ) {
  3. echo 'Value is an integer';
  4. }else{
  5. echo 'Value is not and integer';
  6. }

Testing to see if a user has put in a correctly formated email address is a common task, and to do this just use the FILTER_VALIDATE_EMAIL filter.

  1. $email = '[email protected]';
  2. if ( filter_var($email,FILTER_VALIDATE_EMAIL) ) {
  3. echo 'Email passed';
  4. }else{
  5. echo 'Invalid Email';
  6. };

The same thing can be done with a URL.

  1. $url = 'http://www.hashbangcode.com';
  2. if( filter_var($url, FILTER_VALIDATE_URL) ) {
  3. echo 'Valid URL';
  4. }else{
  5. echo 'Not a valid URL';
  6. };

The options parameter can be used for a number of circumstances. Validating that a variable is a number is fine, but a more useful way of validating a number is to use a range. To create a range for the FILTER_VALIDATE_INT filter you need to use an associative array built like this.

  1. $int_options = array('options' => array(
  2. 'min_range' => 0,
  3. 'max_range' => 256)
  4. );

Which can then be fed into the filter_var() funtion like this.

  1. $int=123;
  2. if(filter_var($int, FILTER_VALIDATE_INT, $int_options)){
  3. echo 'Integer within range';
  4. }else{
  5. echo 'Integer outside range';
  6. }

The filter_input() function is used in much the same way, but in this case there is an additional first parameter. This tells PHP where to get the variable from, which can be one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, INPUT_ENV.

For example, to filter a $_POST request all you need to do is drop in the INPUT_POST type and then name the $_POST globals array parameter that you want to test.

  1. if ( filter_input(INPUT_GET, 'test', FILTER_VALIDATE_INT) ) {
  2. echo 'Test is integer';
  3. }else{
  4. echo 'Test is NOT integer';
  5. };

You can check to see that a variable is present in the parameter type by using the filter_has_var() function.

  1. if ( filter_has_var(INPUT_POST, 'url') ) {
  2. echo 'Input not found.';
  3. }

However, this is not the only use of the filter functions, they can also be used to sanitize input. For example, a common practice is to convert HTML tags so that they are correctly displayed, using the FILTER_SANITIZE_SPECIAL_CHARS filter on a string with the filer_var function will convert all HTML specific characters to their ASCII encoding value.

  1. $test = '<strong>Test Text!</strong>';
  2. echo filter_var($test, FILTER_SANITIZE_SPECIAL_CHARS);

Will print...

&#60;strong&#62;Test Text!&#60;/strong&#62;

To see a full list of the filters and sanitizer flags available take a look at the filter page on the PHP website.

Comments

Permalink
Excelent, good tutorial.

joseBedoya (Thu, 03/27/2008 - 19:48)

Add new comment

The content of this field is kept private and will not be shown publicly.