PHP filter_input

Summary: in this tutorial, you will learn how to use the PHP filter_input() function to get an external variable by name and filter it.

Introduction to PHP filter_input() function

The PHP filter_input() function allows you to get an external variable by its name and filter it using one or more built-in filters.

The following shows the syntax of the filter_input() function:

filter_input ( int $type , string $var_name , int $filter = FILTER_DEFAULT , array|int $options = 0 ) : mixedCode language: PHP (php)

The filter_input() function has the following parameters:

  • $type is one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, and INPUT_ENV.
  • $var_name is the name of the variable to filter.
  • $filter is the filter id to apply. Here’s the list of valid filters. If you omit the $filter argument, the filter_input() function will use the FILTER_DEFAULT filter id, which doesn’t filter anything.
  • $options is an associative array that consists of one or more options. When a filter accepts the options, you can use one or more flags. If you want to use multiple flags, you need to separate them by the (|) e.g., FILTER_SANITIZE_ENCODED | FILTER_SANITIZE_SPECIAL_CHARS.

The filter_input() function returns null, false, or the filtered value according to the following rules:

  • If the $var_name is not set, the filte_input() function returns null.
  • If the filter fails, the filter_input() function returns false.
  • Otherwise, it returns the filtered value of the requested variable.

PHP filter_input() function example

The following example uses the filter_input() function to sanitize data for a search form:

<?php

$term_html = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);
$term_url = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_ENCODED);

?>
<form action="search.php" method="get">
    <label for="term"> Search </label>
    <input type="search" name="term" id="term" value="<?php echo $term_html ?>">
    <input type="submit" value="Search">
</form>

<?php

if (null !== $term_html) {
	echo "The search result for <mark> $term_html </mark>.";
}Code language: HTML, XML (xml)

How the form works.

The form contains an input with type search and a submit button.

When you enter a search term, e.g., how to use the filter_input function and click the submit button; the form uses the GET method to append the term query string to the URL, e.g.,

http://localhost/search.php?term=how+to+use+the+filter_input+functionCode language: plaintext (plaintext)

This search form submits to itself (search.php).

The filter_input() function sanitizes the search term using the FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_ENCODED filters.

The FILTER_SANITIZE_SPECIAL_CHARS filter returns a value for showing on the search field and the FILTER_SANITIZE_ENCODED filter returns a value for displaying on the page.

filter_input vs. filter_var

If a variable doesn’t exist, the filter_input() function returns null while the filter_var() function returns an empty string and issues a notice of an undefined index.

Suppose you have a page with the following URL:

http://localhost/search.phpCode language: JavaScript (javascript)

The following filter_input() function returns null and doesn’t raise any error when you get the term variable from the INPUT_GET:

<?php

$term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);Code language: HTML, XML (xml)

Output:

NULLCode language: plaintext (plaintext)

However, the filter_var() function returns an empty string and issues an error:

<?php

$term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);
var_dump($term);Code language: HTML, XML (xml)

Output:

Notice: Undefined index: term in ...\search.php on line 3
string(0) ""Code language: plaintext (plaintext)

Therefore, you often use the isset() or filter_has_var() function to check if a variable is set before passing it to the filter_var() function like this:

<?php

if (isset($_GET['term'])) {
    $term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);
    var_dump($term);
}Code language: HTML, XML (xml)

Also, the filter_input() function doesn’t get the current values of the $_GET, $_POST, … superglobal variables. Instead, it uses the original values submitted in the HTTP request. For example:

<?php

$_GET['term'] = 'PHP'; // doesn't have any effect on INPUT_GET
$term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);Code language: PHP (php)

Output:

NULLCode language: plaintext (plaintext)

This example attempts to assign a value to the $_GET['term'] variable. However, the filter_input() doesn’t read the term from the current $_GET variable. Therefore, the script displays NULL.

On the other hand, the filter_var() function does read values from the current $_GET variable. For example:

<?php

$_GET['term'] = 'PHP';
$term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);Code language: HTML, XML (xml)

Output:

string(3) "PHP"Code language: JavaScript (javascript)

Summary

  • Use the PHP filter_input() function to sanitze and validate data from external variables.
Did you find this tutorial useful?