PHP Filter Introduction

This PHP filters is used to validate and filter data coming from insecure sources, like user input.

Installation

As of PHP 5.2.0, the filter functions are enabled by default. There is no installation needed to use these functions.

Runtime Configurations

The behavior of these functions is affected by settings in php.ini:

Name Description Default Changeable
filter.default Filter all $_GET, $_POST, $_COOKIE, $_REQUEST and $_SERVER data by this filter. Accepts the name of the filter you like to use by default. See the filter list for the list of the filter names “unsafe_raw” PHP_INI_PERDIR
filter.default_flags Default flags to apply when the default filter is set. This is set to FILTER_FLAG_NO_ENCODE_QUOTES by default for backwards compatibility reasons NULL PHP_INI_PERDIR

PHP 5 Filter Functions

Function Description
filter_has_var() Checks if a variable of a specified input type exist
filter_id() Returns the filter ID of a specified filter name
filter_input() Gets an external variable (e.g. from form input) and optionally filters it
filter_input_array() Gets external variables (e.g. from form input) and optionally filters them
filter_list() Returns a list of all supported filters
filter_var_array() Gets multiple variables and filter them
filter_var() Filters a variable with a specified filter

PHP 5 Predefined Filter Constants

Constant ID Description
FILTER_VALIDATE_BOOLEAN 258 Validates a boolean
FILTER_VALIDATE_EMAIL 274 Validates an e-mail address
FILTER_VALIDATE_FLOAT 259 Validates a float
FILTER_VALIDATE_INT 257 Validates an integer
FILTER_VALIDATE_IP 275 Validates an IP address
FILTER_VALIDATE_REGEXP 272 Validates a regular expression
FILTER_VALIDATE_URL 273 Validates a URL
FILTER_SANITIZE_EMAIL 517 Removes all illegal characters from an e-mail address
FILTER_SANITIZE_ENCODED 514 Removes/Encodes special characters
FILTER_SANITIZE_MAGIC_QUOTES 521 Apply addslashes()
FILTER_SANITIZE_NUMBER_FLOAT 520 Remove all characters, except digits, +- and optionally .,eE
FILTER_SANITIZE_NUMBER_INT 519 Removes all characters except digits and + –
FILTER_SANITIZE_SPECIAL_CHARS 515 Removes special characters
FILTER_SANITIZE_FULL_SPECIAL_CHARS
FILTER_SANITIZE_STRING 513 Removes tags/special characters from a string
FILTER_SANITIZE_STRIPPED 513 Alias of FILTER_SANITIZE_STRING
FILTER_SANITIZE_URL 518 Removes all illegal character from s URL
FILTER_UNSAFE_RAW 516 Do nothing, optionally strip/encode special characters
FILTER_CALLBACK 1024 Call a user-defined function to filter data