Basic PHP Tutorial

Advanced PHP Tutorial

PHP & MySQL

PHP Reference Manual

PHP Filters

In this tutorial, you will learn how to clean and validate user input in PHP.

Use filters to validate and clean data

Clean and validate user input is one of the most common tasks in web applications. To simplify this task, PHP provides a native filter extension that can be used to clean or validate data, such as email addresses, URLs, IP addresses, etc.

To use the filter extension to validate data, you need to use PHP's filter_var() function. The basic syntax of the function can be given as follows:

filter_var(variable, filter, options)

This function has three parameters, of which the last two are optional. The first parameter is the value to be filtered, the second parameter is the ID of the filter to be applied, and the third parameter is an array of options related to the filter. Let's see how it works.

Clean string

The following example will clean the string by removing all HTML tags from it:

Example

<?php
//Example user comment
$comment = "<h1>Hey! How's your day going?</>h1>";
　
//Clean and print the comment string
$sanitizedComment = filter_var($comment, FILTER_SANITIZE_STRING);
echo $sanitizedComment;
?>

Test and see‹/›

The output of the above example is as follows:

Hey! How's your day going?

Verify integer value

The following example will verify whether the value is a valid integer.

Example

<?php
//　Example integer value
$int =　20;
　
//　Verify integer value
if (filter_var($int, FILTER_VALIDATE_INT)) {
　　　　echo "<b>$int</b>Is a valid integer";
} else {
　　　　echo "<b>$int</b>Is not a valid integer";
}
?>

Test and see‹/›

In the above example, if the variable $int is set to 0, the example code will display an invalid integer message. To solve this problem, you need to explicitly test the value 0 as shown below:

Example

<?php
//Example integer value
$int = 0;
　
//　Validate sample integer value
if(filter_var($int, FILTER_VALIDATE_INT) === 0 || filter_var($int, FILTER_VALIDATE_INT)){
　　　　echo "The <b>$int</b>Is a valid integer";
} else {
　　　　echo "The <b>$int</b>Is not a valid integer";
}
?>

Test and see‹/›

Verify IP address

The following example will verify whether the value is a valid IP address.

Example

<?php
//　IP address
$ip = ""172.16.254.1";
　
//　Verify example IP address
if(filter_var($ip, FILTER_VALIDATE_IP)){
　　　　echo "<b>$ip</b>Is a valid IP address";
} else {
　　　　echo "<b>$ip</b>Is not a valid IP address";
}
?>

Test and see‹/›

You can use FILTER_FLAG_IPV separately4or FILTER_FLAG_IPV6flag further on IPV4or IPV6 IP address validation is applied. Here is an example:

Example

<?php
//　IP address
$ip = ""172.16.254.1";
　
//　Verify example IP address
if(filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
　　　　echo "<b>$ip</b>Is a valid IPV6address;
} else {
　　　　echo "<b>$ip</b>Is not a valid IPV6address;
}
?>

Test and see‹/›

Clean and verify email address

The following examples will show you how to clean and verify email addresses.

Example

<?php
//　email address
$email = "someone@@example.com";
　
//Remove all illegal characters from the email
$sanitizedEmail = filter_var($email, FILTER_SANITIZE_EMAIL);
　
//Verify email address
if($email == $sanitizedEmail && filter_var($email, FILTER_VALIDATE_EMAIL)){
　　　　echo "$email is a valid email address";
} else {
　　　　echo "$email is not a valid email address";
}
?>

Test and see‹/›

Note:The FILTER_SANITIZE_EMAIL filter removes all invalid characters from the email address string, except letters, numbers, and the provided characters!#$%&'*+-=?^_`{|}~@.[].

Clean and validate URL

The following example will show you how to clean and validate a URL.

Example

<?php
//　　url example
$url = "http:://www.example.com"
　
//Remove all illegal characters from the URL
$sanitizedUrl = filter_var($url, FILTER_SANITIZE_URL);
　
//　Verify the website URL
if($url == $sanitizedUrl && filter_var($url, FILTER_VALIDATE_URL)){
　　　　echo "$url is a valid website URL";
} else {
　　　　echo "$url is not a valid website URL";
}
?>

Test and see‹/›

Note:FILTER_SANITIZE_URL filter removes all invalid characters except letters, numbers, and the provided URL string$-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

You can also use the flag to check if the URL contains a query string FILTER_FLAG_QUERY_REQUIRED, as shown in the following example:

Example

<?php
//url
$url = "http://www.example.com?topic=filters";
　
//Verify the website URL to obtain the query string
if(filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED)){
　　　　echo "<b>$url</b>Includes the query string";
} else {
　　　　echo "<b>$url</b>Does not include the query string";
}
?>

Test and see‹/›

Please refer toHTML URLtutorials to learnURLof different components.

Verify integers within the range

The following example will verify whether the provided value is an integer and whether it is in the range of10in the range of 0.

Example

<?php
//　Example integer value
$int =　75;
　
//Verify the sample integer value
if(filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range" => 0,"max_range" =>　100)))){
　　　　echo "<b>$int</b>　In the range of 0 to10in the range of "0";
} else {
　　　　echo "<b>$int</b>Not in the range of 0 to10in the range of "0";
}
?>

Test and see‹/›

PHP Magic Constants PHP Form Validation