DEV Community

Imoh Imohowo
Imoh Imohowo

Posted on

Mastering Input Filtering in PHP: A Guide to `filter_input` Techniques

Handling user input securely is a cornerstone of web development. PHP offers a powerful function called filter_input that simplifies input validation and sanitization. In this post, we'll explore different ways to use filter_input to keep your applications safe and clean.

filter

What is filter_input?

The filter_input function retrieves an external variable (like $_GET, $_POST, or $_COOKIE) and optionally filters it. This helps prevent security vulnerabilities such as SQL injection, XSS, and other malicious input attacks.

Basic Syntax

filter_input(int $type, string $variable_name, int $filter = FILTER_DEFAULT, array|int $options = 0);  
Enter fullscreen mode Exit fullscreen mode
  • $type: The input type (INPUT_GET, INPUT_POST, INPUT_COOKIE, etc.).
  • $variable_name: The key of the input variable.
  • $filter: The filter to apply (e.g., FILTER_SANITIZE_STRING, FILTER_VALIDATE_EMAIL).
  • $options: Additional flags or options.

Common Filtering Techniques

1. Validating Email Input

Ensuring an email is properly formatted before processing:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);  
if ($email === false) {  
    echo "Invalid email!";  
}  
Enter fullscreen mode Exit fullscreen mode

2. Sanitizing Strings

Removing unwanted tags and encoding special characters:

$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);  
Enter fullscreen mode Exit fullscreen mode

(Note: FILTER_SANITIZE_STRING is deprecated in PHP 8.1. Consider htmlspecialchars or other sanitization methods.)

3. Validating Integers

Ensuring numeric input is an integer:

$age = filter_input(INPUT_GET, 'age', FILTER_VALIDATE_INT);  
if ($age === false || $age < 1) {  
    echo "Invalid age!";  
}  
Enter fullscreen mode Exit fullscreen mode

4. Filtering URLs

Validating and sanitizing URLs:

$website = filter_input(INPUT_POST, 'website', FILTER_VALIDATE_URL);  
if ($website === false) {  
    echo "Invalid URL!";  
}  
Enter fullscreen mode Exit fullscreen mode

5. Using Filter Flags

Adding constraints, such as a minimum/maximum range:

$score = filter_input(  
    INPUT_POST,  
    'score',  
    FILTER_VALIDATE_INT,  
    ["options" => ["min_range" => 0, "max_range" => 100]]  
);  
Enter fullscreen mode Exit fullscreen mode

6. Sanitizing and Validating Arrays

Applying filters to array inputs:

$filters = [  
    'emails' => [  
        'filter' => FILTER_VALIDATE_EMAIL,  
        'flags'  => FILTER_REQUIRE_ARRAY  
    ]  
];  
$sanitized = filter_input_array(INPUT_POST, $filters);  
Enter fullscreen mode Exit fullscreen mode

When to Use filter_input vs. Other Methods

  • Pros: Built-in, easy to use, reduces manual validation.
  • Cons: Some filters are deprecated (FILTER_SANITIZE_STRING), limited flexibility compared to custom validation libraries.

For complex validation, consider libraries like Laravel Validator or Symfony’s Validator Component.


Conclusion

PHP's filter_input is a handy tool for basic input sanitization and validation, helping you write more secure code with minimal effort. While it may not cover every edge case, it’s a great starting point for securing user input.

Top comments (0)