Summary: in this tutorial, you will learn how to use the PHP filter_var()
function to sanitize and validate data.
Introduction to the PHP filter_var() function
When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs or third-party API.
A good rule of thumb is that you should never trust external data. And you should always:
- Sanitize and validate data before storing it in the database.
- Espace data before displaying it on a web page.
Suppose, you have a URL that contains a query string like this:
http://localhost:8080/index.php?id=10
Code language: plaintext (plaintext)
And you want to display the $id
on the page:
echo $_GET['id'];
Code language: PHP (php)
In this case, you see that the page displays the number 10.
However, a malicious hacker may change the value of id
to something code like this:
%3Cscript%3Ealert(%27Hi%27)%3C/script%3E
And the URL will be:
http://localhost:8080/phptutorial/filter_var/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3E
Code language: JavaScript (javascript)
In this case, you’ll see an alert on the web browser instead. In this example, the value of id is not a number but a piece of JavaScript code that shows an alert.
Imagine the following situation:
- First, a hacker creates a link to the page on a legitimate domain (
https://www.mybank.com/login/?id=...
). with an id that contains malicious code instead of a valid number. And unfortunately, the page doesn’t sanitize and validate the input. - Second, the hacker embeds the link in an email and sends it to the users of the
mybank.com
. - Third, the users see the link with a legitimate domain and click it. When they arrive at the page, they’re redirected to the hacker’s website with the same look and feel (
https://www.mybank.on-a-malicious-domain.com/login/
). - Finally, users enter their accounts and lose the bank credentials to the hacker.
To prevent this, you need to sanitize and validate data before processing it.
- Sanitization disables potential malicious code from data before processing it.
- Validation ensures that the data is in the correct format regarding data type, range, and value.
PHP has the filter_var()
function that supports you to both sanitize and validate data. Here’s the syntax of the filter_var()
function:
filter_var ( mixed $value , int $filter = FILTER_DEFAULT , array|int $options = 0 ) : mixed
Code language: PHP (php)
The filter_var()
function the following parameters:
$value
is the value will be filtered.$filter
is the filter id to apply. The filter id determines how thefilter_var()
function filters the$value
.$options
is an associative array of options or a list of flags separated by the pipe character (|
).
The filter()
function returns the filtered value, or false
if the filter fails.
PHP filter_var() function example
Let’s take an example of using the filter_var()
function.
1) Using the PHP filter_var() function to sanitize data
The following example uses the filter_var()
function to sanitize the id of a query string:
<?php
if (filter_has_var(INPUT_GET, 'id')) {
// sanitize id
$id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
// show the id
var_dump($id);
} else {
echo 'id is required.';
}
Code language: HTML, XML (xml)
Note that the filter_has_var()
function returns true
if the query string contains the id
parameter.
If you navigate to the URL:
http://localhost:8080/index.php?id=10
Code language: JavaScript (javascript)
you’ll see the following value:
string(2) "10"
Code language: JavaScript (javascript)
However, if you use the following link that has an id with malicious code:
http://localhost:8080/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3E
Code language: JavaScript (javascript)
you’ll see the following:
string(0) ""
Code language: JavaScript (javascript)
The filter_var()
function with the FILTER_SANITIZE_NUMBER_INT
filters will remove all characters except the digits, plus, and minus signs from the id
variable. Check out all the filter ids that you can use to sanitize data.
2) Using the PHP filter_var() function to validate data
Besides sanitizing data, you can use the filter_var()
function to validate data. For example:
<?php
if (filter_has_var(INPUT_GET, 'id')) {
// sanitize id
$clean_id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
// validate id
$id = filter_var($clean_id, FILTER_VALIDATE_INT);
// show the id if it's valid
echo $id === false ? 'Invalid id' : $id;
} else {
echo 'id is required.';
}
Code language: PHP (php)
In this example, we pass the id
from the $_GET
array to the filter_var()
function and use the filter id FILTER_VALIDATE_INT
to validate whether $_GET['id']
is an integer or not.
If the result is false
, then it shows the message 'Invalid id'
. Otherwise, it dumps the value of id.
If the id
is an integer, for example:
http://localhost:8080/index.php?id=10
Code language: JavaScript (javascript)
…you’ll see the following value on the screen:
10
Notice that the filter_var()
function implicitly converts the string ‘10'
to the integer 10
.
If the value of the id
is anything other than an integer, you’ll see the message:
Invalid id
Some filter ids support the additional options. For example, the FILTER_VALIDATE_INT
allows you to specify the min range, max range, and default value when the filter fails.
To make sure that the value of id
is greater than10, you use the $options
argument in the filter_var()
function as follows:
<?php
if (filter_has_var(INPUT_GET, 'id')) {
// sanitize id
$clean_id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
if ($clean_id) {
// validate id with options
$id = filter_var($clean_id, FILTER_VALIDATE_INT, ['options' => [
'min_range' => 10
]]);
// show the id if it's valid
echo $id === false ? 'id must be at least 10' : $id;
}
else {
echo 'id is invalid.';
}
} else {
echo 'id is required.';
}
Code language: PHP (php)
If you don’t have the id in the query string, you’ll get the following error:
id is required.
If you have an id that is not an integer like the following:
index.php?id=abc
… you’ll get the following error:
id is invalid.
However, if you have an id with the value that cannot be converted to an integer like this:
index.php?id=123abc
…you’ll get the id with the value 123
because the FILTER_SANITIZE_NUMBER_INT
filter removes the abc
characters from the id.
If you have an id with a value less than 10:
index.php?id=9
… you’ll get the following message:
id must be at least 10
Summary
- External data cannot be trusted. Therefore, you should always sanitize and validate the external data.
- Use the PHP
filter_var()
function to sanitize and validate data.