PHP filter_var

Summary: in this tutorial, you will learn how to use the PHP filter_var() function to sanitize and validate data.

Introduction to the PHP filter_var() function

When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs or third-party API.

A good rule of thumb is that you should never trust external data. And you should always:

  • Sanitize and validate data before storing it in the database.
  • Espace data before displaying it on a web page.

Suppose, you have a URL that contains a query string like this:

http://localhost:8080/index.php?id=10Code language: plaintext (plaintext)

And you want to display the $id on the page:

echo $_GET['id'];Code language: PHP (php)

In this case, you see that the page displays the number 10.

However, a malicious hacker may change the value of id to something code like this:

%3Cscript%3Ealert(%27Hi%27)%3C/script%3E

And the URL will be:

http://localhost:8080/phptutorial/filter_var/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: JavaScript (javascript)

In this case, you’ll see an alert on the web browser instead. In this example, the value of id is not a number but a piece of JavaScript code that shows an alert.

Imagine the following situation:

  • First, a hacker creates a link to the page on a legitimate domain (https://www.mybank.com/login/?id=...). with an id that contains malicious code instead of a valid number. And unfortunately, the page doesn’t sanitize and validate the input.
  • Second, the hacker embeds the link in an email and sends it to the users of the mybank.com.
  • Third, the users see the link with a legitimate domain and click it. When they arrive at the page, they’re redirected to the hacker’s website with the same look and feel (https://www.mybank.on-a-malicious-domain.com/login/).
  • Finally, users enter their accounts and lose the bank credentials to the hacker.

To prevent this, you need to sanitize and validate data before processing it.

  • Sanitization disables potential malicious code from data before processing it.
  • Validation ensures that the data is in the correct format regarding data type, range, and value.

PHP has the filter_var() function that supports you to both sanitize and validate data. Here’s the syntax of the filter_var() function:

filter_var ( mixed $value , int $filter = FILTER_DEFAULT , array|int $options = 0 ) : mixedCode language: PHP (php)

The filter_var() function the following parameters:

  • $value is the value will be filtered.
  • $filter is the filter id to apply. The filter id determines how the filter_var() function filters the $value.
  • $options is an associative array of options or a list of flags separated by the pipe character (|).

The filter() function returns the filtered value, or false if the filter fails.

PHP filter_var() function example

Let’s take an example of using the filter_var() function.

1) Using the PHP filter_var() function to sanitize data

The following example uses the filter_var() function to sanitize the id of a query string:

<?php

if (filter_has_var(INPUT_GET, 'id')) {
	// sanitize id
	$id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);
	// show the id
	var_dump($id);
} else {
	echo 'id is required.';
}
Code language: HTML, XML (xml)

Note that the filter_has_var() function returns true if the query string contains the id parameter.

If you navigate to the URL:

http://localhost:8080/index.php?id=10Code language: JavaScript (javascript)

you’ll see the following value:

string(2) "10"Code language: JavaScript (javascript)

However, if you use the following link that has an id with malicious code:

http://localhost:8080/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: JavaScript (javascript)

you’ll see the following:

string(0) ""Code language: JavaScript (javascript)

The filter_var() function with the FILTER_SANITIZE_NUMBER_INT filters will remove all characters except the digits, plus, and minus signs from the id variable. Check out all the filter ids that you can use to sanitize data.

2) Using the PHP filter_var() function to validate data

Besides sanitizing data, you can use the filter_var() function to validate data. For example:

<?php

if (filter_has_var(INPUT_GET, 'id')) {
	// sanitize id
	$clean_id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);

	// validate id
	$id = filter_var($clean_id, FILTER_VALIDATE_INT);

	// show the id if it's valid
	echo $id === false ? 'Invalid id' : $id;
} else {
	echo 'id is required.';
}
Code language: PHP (php)

In this example, we pass the id from the $_GET array to the filter_var() function and use the filter id FILTER_VALIDATE_INT to validate whether $_GET['id'] is an integer or not.

If the result is false, then it shows the message 'Invalid id'. Otherwise, it dumps the value of id.

If the id is an integer, for example:

http://localhost:8080/index.php?id=10Code language: JavaScript (javascript)

…you’ll see the following value on the screen:

10

Notice that the filter_var() function implicitly converts the string ‘10' to the integer 10.

If the value of the id is anything other than an integer, you’ll see the message:

Invalid id

Some filter ids support the additional options. For example, the FILTER_VALIDATE_INT allows you to specify the min range, max range, and default value when the filter fails.

To make sure that the value of id is greater than10, you use the $options argument in the filter_var() function as follows:

<?php

if (filter_has_var(INPUT_GET, 'id')) {
    // sanitize id
    $clean_id = filter_var($_GET['id'], FILTER_SANITIZE_NUMBER_INT);

    if ($clean_id) {
        // validate id with options
        $id = filter_var($clean_id, FILTER_VALIDATE_INT, ['options' => [
            'min_range' => 10
        ]]);

        // show the id if it's valid
        echo $id === false ? 'id must be at least 10' : $id;
    }
    else {
         echo 'id is invalid.';
    }
} else {
    echo 'id is required.';
}Code language: PHP (php)

If you don’t have the id in the query string, you’ll get the following error:

id is required.

If you have an id that is not an integer like the following:

index.php?id=abc

… you’ll get the following error:

id is invalid.

However, if you have an id with the value that cannot be converted to an integer like this:

index.php?id=123abc

…you’ll get the id with the value 123 because the FILTER_SANITIZE_NUMBER_INT filter removes the abc characters from the id.

If you have an id with a value less than 10:

index.php?id=9

… you’ll get the following message:

id must be at least 10

Summary

  • External data cannot be trusted. Therefore, you should always sanitize and validate the external data.
  • Use the PHP filter_var() function to sanitize and validate data.
Did you find this tutorial useful?