PHP filter_input Function (original) (raw)

Summary: in this tutorial, you will learn how to use the PHP filter_input() function to get an external variable by name and filter it.

Introduction to PHP filter_input() function #

When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs, databases, or third-party API.

A good rule of thumb is that you should never trust external data and always:

Suppose, you have a URL that contains a query string like this:

http://localhost/index.php?id=10Code language: plaintext (plaintext)

And you want to display the $id on the page:

echo $_GET['id'];Code language: PHP (php)

In this case, you see that the page displays the number 10.

However, a malicious hacker may change the value of id to something code like this:

%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

And the URL will be:

http://localhost/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

In this case, you’ll see an alert on the web browser instead. In this example, the value of id is not a number but a piece of JavaScript code that shows an alert.

Imagine the following situation:

To prevent this, you must always sanitize and validate data before processing it.

The PHP filter_input() function allows you to get an external variable by its name and filter it using one or more built-in filters.

Here’s the syntax of the filter_input() function:

filter_input ( int <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>t</mi><mi>y</mi><mi>p</mi><mi>e</mi><mo separator="true">,</mo><mi>s</mi><mi>t</mi><mi>r</mi><mi>i</mi><mi>n</mi><mi>g</mi></mrow><annotation encoding="application/x-tex">type , string </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.854em;vertical-align:-0.1944em;"></span><span class="mord mathnormal">t</span><span class="mord mathnormal" style="margin-right:0.03588em;">y</span><span class="mord mathnormal">p</span><span class="mord mathnormal">e</span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord mathnormal">s</span><span class="mord mathnormal">t</span><span class="mord mathnormal" style="margin-right:0.02778em;">r</span><span class="mord mathnormal">in</span><span class="mord mathnormal" style="margin-right:0.03588em;">g</span></span></span></span>var_name , int <span class="katex"><span class="katex-mathml"><math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>f</mi><mi>i</mi><mi>l</mi><mi>t</mi><mi>e</mi><mi>r</mi><mo>=</mo><mi>F</mi><mi>I</mi><mi>L</mi><mi>T</mi><mi>E</mi><msub><mi>R</mi><mi>D</mi></msub><mi>E</mi><mi>F</mi><mi>A</mi><mi>U</mi><mi>L</mi><mi>T</mi><mo separator="true">,</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><mi>y</mi><mi mathvariant="normal">∣</mi><mi>i</mi><mi>n</mi><mi>t</mi></mrow><annotation encoding="application/x-tex">filter = FILTER_DEFAULT , array|int </annotation></semantics></math></span><span class="katex-html" aria-hidden="true"><span class="base"><span class="strut" style="height:0.8889em;vertical-align:-0.1944em;"></span><span class="mord mathnormal" style="margin-right:0.10764em;">f</span><span class="mord mathnormal">i</span><span class="mord mathnormal">lt</span><span class="mord mathnormal" style="margin-right:0.02778em;">er</span><span class="mspace" style="margin-right:0.2778em;"></span><span class="mrel">=</span><span class="mspace" style="margin-right:0.2778em;"></span></span><span class="base"><span class="strut" style="height:1em;vertical-align:-0.25em;"></span><span class="mord mathnormal" style="margin-right:0.13889em;">F</span><span class="mord mathnormal" style="margin-right:0.07847em;">I</span><span class="mord mathnormal">L</span><span class="mord mathnormal" style="margin-right:0.05764em;">TE</span><span class="mord"><span class="mord mathnormal" style="margin-right:0.00773em;">R</span><span class="msupsub"><span class="vlist-t vlist-t2"><span class="vlist-r"><span class="vlist" style="height:0.3283em;"><span style="top:-2.55em;margin-left:-0.0077em;margin-right:0.05em;"><span class="pstrut" style="height:2.7em;"></span><span class="sizing reset-size6 size3 mtight"><span class="mord mathnormal mtight" style="margin-right:0.02778em;">D</span></span></span></span><span class="vlist-s">​</span></span><span class="vlist-r"><span class="vlist" style="height:0.15em;"><span></span></span></span></span></span></span><span class="mord mathnormal" style="margin-right:0.13889em;">EF</span><span class="mord mathnormal">A</span><span class="mord mathnormal">UL</span><span class="mord mathnormal" style="margin-right:0.13889em;">T</span><span class="mpunct">,</span><span class="mspace" style="margin-right:0.1667em;"></span><span class="mord mathnormal">a</span><span class="mord mathnormal" style="margin-right:0.02778em;">rr</span><span class="mord mathnormal">a</span><span class="mord mathnormal" style="margin-right:0.03588em;">y</span><span class="mord">∣</span><span class="mord mathnormal">in</span><span class="mord mathnormal">t</span></span></span></span>options = 0 ) : mixedCode language: PHP (php)

The filter_input() function has the following parameters:

The filter_input() function returns null, false, or the filtered value according to the following rules:

The following example uses the filter_input() function to sanitize data for a search form:

`<?php

$term_html = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS); $term_url = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_ENCODED);

?>

Search $term_html ."; }`Code language: HTML, XML (xml) How the form works. The form has an input with the type `search` and a submit button. When you enter a search term, e.g., `how to use the filter_input function` and click the submit button; the form uses the GET method to append the term query string to the URL, e.g., `http://localhost/search.php?term=how+to+use+the+filter_input+function`Code language: plaintext (plaintext) This search form submits itself (`search.php`). The `filter_input()` function sanitizes the search term using the `FILTER_SANITIZE_SPECIAL_CHARS` and `FILTER_SANITIZE_ENCODED` filters. The `FILTER_SANITIZE_SPECIAL_CHARS` filter returns a value for showing on the search field and the `FILTER_SANITIZE_ENCODED` filter returns a value for displaying on the page. ## filter\_input vs. filter\_var [#](#filter%5Finput-vs-filter%5Fvar "Anchor for filter_input vs. filter_var") The following table shows the comparison of the `filter_input` and `filter_var` functions: | Feature / Aspect | filter\_input() | filter\_var() | | ------------------------ | ------------------------------------------------------------ | -------------------------------------------------------------- | | **Purpose** | Validiate and sanitize inputs like POST request. | Validate and sanize a **variable you already have** in memory. | | **Input** | INPUT\_\* such asINPUT\_GET andINPUT\_POST | Any local variable ($id, $email, etc.) | | **Validation Example** | filter\_input(INPUT\_GET, 'email', FILTER\_VALIDATE\_EMAIL) | filter\_var($email, FILTER\_VALIDATE\_EMAIL) | | **Sanitization Example** | filter\_input(INPUT\_POST, 'name', FILTER\_SANITIZE\_STRING) | filter\_var($name, FILTER\_SANITIZE\_STRING) | | **Returns** | Filtered value on success, false on failure or not found | Filtered value on success, false on validation failure | | **Fails When** | Variable is not set in the input type or validation fails | Variable is invalid or fails validation | | **Use Case** | Validate / sanitize form input | validate/ sanitnize variables | ## Summary [#](#summary "Anchor for Summary") * Use the PHP `filter_input()` function to sanitize and validate data from external variables. * Use the `filter_input()` function when you need to validate and sanitize data coming directly from user and `filter_var()` ưhen the input is alrady in a variable. Did you find this tutorial useful?