If you read the first lesson on PHP filters, you already have an idea on why do you need to care about PHP filtering and how it works. Making PHP sanitize input means providing your web application with an additional layer of protection since external data can sometimes put it at risk.
In this tutorial, we will dive a little bit deeper and learn more about advanced filters. You will discover how they can help PHP sanitize input that your web application receives. They can also make PHP validate URL addresses, recognize QueryString, and understand ASCII values of characters used in the code.
Contents
PHP Sanitize Input: Main Tips
- PHP offers advanced filters for processing data.
- PHP input sanitization is especially important when dealing with queries.
Using filter_var()
The example below uses filter_var() for checking whether a variable is actually an integer and has a value between 10 and 100:
<?php
$int = 185;
$min = 10;
$max = 100;
if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {
echo("Variable isn't valid");
} else {
echo("Variable is valid");
}
?>Note: similar results can also be achieved with filter_input PHP function.
IPv6 Address Validation
Now, in this example, filter_var() is used to determine whether $ip is a proper IPv6 address:
<?php
$ip = "2012:0db9:89a4:09d3:1919:8a9e:0390:7394";
if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {
echo("$ip is indeed a valid IPv6 address");
} else {
echo("$ip is no valid IPv6 address");
}
?>URL Validation
The example below uses a function called filter_var() to make PHP validate URL address. Basically, that means determining whether $url is a URL that contains QueryString:
<?php
$url = "https://www.bitdegree.org/learn/";
if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED) === false) {
echo("$url is a valid URL address");
} else {
echo("$url is not a valid URL address");
}
?>Removing Characters
In the example below, filter_var() is used to PHP sanitize string (in other words, to remove any special characters from it). It removes every HTML tag detected, as well as all characters that have the ASCII value above 127 from the string:
<?php
$string = "<h2>H3110 W0r1dÆØÅ!</h2>";
$filteredString = filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
echo $filteredString;
?>PHP Sanitize Input: Summary
- Advanced filters make it easier for PHP developers to process data. For example, easier to make PHP sanitize input from external sources.
- You can find them extremely useful when dealing with queries.
- As you make PHP sanitize input, you can be as specific as possible about the characters you wish to remove.
filter_varworks similarly asfilter_inputPHP function.