Filter data and review user input

The filter extensions have been available in PHP since 5.1 (see http://www.php.net/manual/en/ref.filter.php). If not available, these can be installed using the PECL installer:

To see whether the filters are active, either via PHP-INFO ();

or simply check with a PHP program:

3 ways to filter data

VALIDATE to test whether the data corresponds exactly to the format that is expected. The filters are then addressed with FILTER_VALIDATE_ *.

SANITIZE to "heal" the user input. This can, but does not have to, lead to the desired result. See the example with e-mail addresses later. The filters are addressed with FILTER_SANITIZE_ *.

FLAGS for further options that can be set for the filters. These are addressed with FILTER_FLAG_ *.

Example structure of the call

If an entry should now be checked whether it is a correct e-mail address, the structure is as follows:

When checking with the filter_var filter, TRUE or FALSE is set, depending on whether the formal structure corresponds to an e-mail address or not.

Task: what happens if e-mail addresses with umlauts appear?

TYPE verification

Often the first step is to check whether the type of variable entered corresponds to the specified format. If I expect integers to be entered and something else comes up, that's bad.



The whole for numbers with decimal places:


Check url

all existing filters

and who wants to see all available filters:

User input via form

User input comes in via a form using $ _GET - in the following example the id:

Heal (SANITIZE) existing user input

Healing can be used to clean up strings - very useful for some tasks:

The structure is almost identical to the one above:

$ cured = filter_var ($ to test, FILTER_SANITIZE_art);

    $ cured = filter_var ($ to test, FILTER_SANITIZE_STRING);
    Removes the characters "<>?"
  • FILTER_SANITIZE_STRIPPED Removes the characters "<>?"
  • FILTER_SANITIZE_ENCODED Converts `~! @ # $% ^ & * () = + [{]} ;: '".? / | To% hex
  • FILTER_SANITIZE_ SPECIAL_CHARS Converts <> & "to & type;
  • FILTER_SANITIZE_ EMAIL Removes the characters ();: <>, \ ”
  • FILTER_SANITIZE_ URL Only allowed are a-zA-Z0-9` ~! @ # $% ^ & * () -_ = + [{]} ;: '"<,>.? / |
  • FILTER_SANITIZE_ NUMBER_INT Only 1234567890- + are allowed
  • FILTER_SANITIZE_ NUMBER_FLOAT Only 1234567890- + are allowed.


The filters can be given additional options using the flags. Most flags only work with a specific validate / sanitize.

Example of the FILTER_FLAG_ALLOW_HEX extension that allows hexadecimal entries. This can be used, for example, to check whether a color value has been entered. This flag only works with FILTER_VALIDATE_INT or FILTER_SANITIZE_ NUMBER_INT.

Here various flags (in brackets, what they work with)

  • FILTER_NULL_ON_FAILURE - 0 is returned instead of an empty result or if the check fails
  • FILTER_FLAG_ALLOW_OCTAL (* _INT) - Numbers in the octal system
  • FILTER_FLAG_STRIP_LOW - less than 32 in ASCII
  • FILTER_FLAG_STRIP_HIGH - greater than 127 in ASCII
  • FILTER_FLAG_ENCODE_LOW - less than 32 in ASCII
  • FILTER_FLAG_ENCODE_HIGH - greater than 127 in ASCII
  • FILTER_FLAG_NO_ENCODE_QUOTES - ignores single and double quotes
  • FILTER_FLAG_ALLOW_FRACTION (* _NUMBER_FLOAT) - permitted are 1234567890- +. (with period, without comma)
  • FILTER_FLAG_ALLOW_THOUSAND (* _NUMBER_FLOAT) - permitted are 1234567890- +, (without period, with comma)
  • FILTER_FLAG_ALLOW_SCIENTIFIC (* _NUMBER_FLOAT) - allowed are eE1234567890- + (neither point nor comma)
  • FILTER_FLAG_SCHEME_REQUIRED (VALIDATE_URL) - certain URL structure must be given
  • FILTER_FLAG_HOST_REQUIRED (VALIDATE_URL) - certain URL structure must be given
  • FILTER_FLAG_PATH_REQUIRED (VALIDATE_URL) - certain URL structure must be given
  • FILTER_FLAG_QUERY_REQUIRED (VALIDATE_URL) - certain URL structure must be given

If you find a bug, please let us know (no matter if typographical or content-related error).

With a mouse Mark the faulty point and take over with the following button:

After submitting it comes here feedback! Please do not send twice. Thanks.