Handling user input securely is a cornerstone of web development. PHP offers a powerful function called filter_input
that simplifies input validation and sanitization. In this post, we'll explore different ways to use filter_input
to keep your applications safe and clean.
What is filter_input
?
The filter_input
function retrieves an external variable (like $_GET
, $_POST
, or $_COOKIE
) and optionally filters it. This helps prevent security vulnerabilities such as SQL injection, XSS, and other malicious input attacks.
Basic Syntax
filter_input(int $type, string $variable_name, int $filter = FILTER_DEFAULT, array|int $options = 0);
-
$type
: The input type (INPUT_GET
,INPUT_POST
,INPUT_COOKIE
, etc.). -
$variable_name
: The key of the input variable. -
$filter
: The filter to apply (e.g.,FILTER_SANITIZE_STRING
,FILTER_VALIDATE_EMAIL
). -
$options
: Additional flags or options.
Common Filtering Techniques
1. Validating Email Input
Ensuring an email is properly formatted before processing:
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email === false) {
echo "Invalid email!";
}
2. Sanitizing Strings
Removing unwanted tags and encoding special characters:
$username = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_STRING);
(Note: FILTER_SANITIZE_STRING
is deprecated in PHP 8.1. Consider htmlspecialchars
or other sanitization methods.)
3. Validating Integers
Ensuring numeric input is an integer:
$age = filter_input(INPUT_GET, 'age', FILTER_VALIDATE_INT);
if ($age === false || $age < 1) {
echo "Invalid age!";
}
4. Filtering URLs
Validating and sanitizing URLs:
$website = filter_input(INPUT_POST, 'website', FILTER_VALIDATE_URL);
if ($website === false) {
echo "Invalid URL!";
}
5. Using Filter Flags
Adding constraints, such as a minimum/maximum range:
$score = filter_input(
INPUT_POST,
'score',
FILTER_VALIDATE_INT,
["options" => ["min_range" => 0, "max_range" => 100]]
);
6. Sanitizing and Validating Arrays
Applying filters to array inputs:
$filters = [
'emails' => [
'filter' => FILTER_VALIDATE_EMAIL,
'flags' => FILTER_REQUIRE_ARRAY
]
];
$sanitized = filter_input_array(INPUT_POST, $filters);
When to Use filter_input
vs. Other Methods
- Pros: Built-in, easy to use, reduces manual validation.
-
Cons: Some filters are deprecated (
FILTER_SANITIZE_STRING
), limited flexibility compared to custom validation libraries.
For complex validation, consider libraries like Laravel Validator or Symfony’s Validator Component.
Conclusion
PHP's filter_input
is a handy tool for basic input sanitization and validation, helping you write more secure code with minimal effort. While it may not cover every edge case, it’s a great starting point for securing user input.
Top comments (0)