PHP filter_input Function (original) (raw)

Summary: in this tutorial, you will learn how to use the PHP filter_input() function to get an external variable by name and filter it.

Introduction to PHP filter_input() function #

When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs, databases, or third-party API.

A good rule of thumb is that you should never trust external data and always:

Sanitize and validate data before storing it in the database.
Escapce data before displaying it on a web page.

Suppose, you have a URL that contains a query string like this:

http://localhost/index.php?id=10Code language: plaintext (plaintext)

And you want to display the $id on the page:

echo $_GET['id'];Code language: PHP (php)

In this case, you see that the page displays the number 10.

However, a malicious hacker may change the value of id to something code like this:

%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

And the URL will be:

http://localhost/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

In this case, you’ll see an alert on the web browser instead. In this example, the value of id is not a number but a piece of JavaScript code that shows an alert.

Imagine the following situation:

First, a hacker creates a link to the page on a legitimate domain (https://www.mybank.com/login/?id=...). with an id that contains malicious code instead of a valid number. Unfortunately, the page doesn’t sanitize and validate the input.
Second, the hacker embeds the link in an email and sends it to the users of the mybank.com.
Third, users see the link with a legitimate domain and click it. When they arrive at the page, they’re redirected to the hacker’s website with the same look and feel (https://www.mybank.on-a-malicious-domain.com/login/).
Finally, users enter their accounts and lose their bank credentials to the hacker.

To prevent this, you must always sanitize and validate data before processing it.

Sanitization disables potential malicious code from data before processing it.
Validation ensures the data is in the correct format regarding data type, range, and value.

The PHP filter_input() function allows you to get an external variable by its name and filter it using one or more built-in filters.

Here’s the syntax of the filter_input() function:

filter_input ( int <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>t</mi><mi>y</mi><mi>p</mi><mi>e</mi><mo separator="true">,</mo><mi>s</mi><mi>t</mi><mi>r</mi><mi>i</mi><mi>n</mi><mi>g</mi></mrow><annotation encoding="application/x-tex">type , string </annotation></semantics></math>type,stringvar_name , int <math xmlns="http://www.w3.org/1998/Math/MathML"><semantics><mrow><mi>f</mi><mi>i</mi><mi>l</mi><mi>t</mi><mi>e</mi><mi>r</mi><mo>=</mo><mi>F</mi><mi>I</mi><mi>L</mi><mi>T</mi><mi>E</mi><msub><mi>R</mi><mi>D</mi></msub><mi>E</mi><mi>F</mi><mi>A</mi><mi>U</mi><mi>L</mi><mi>T</mi><mo separator="true">,</mo><mi>a</mi><mi>r</mi><mi>r</mi><mi>a</mi><mi>y</mi><mi mathvariant="normal">∣</mi><mi>i</mi><mi>n</mi><mi>t</mi></mrow><annotation encoding="application/x-tex">filter = FILTER_DEFAULT , array|int </annotation></semantics></math>filter=FILTERDEFAULT,array∣intoptions = 0 ) : mixedCode language: PHP (php)

The filter_input() function has the following parameters:

$type is one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, and INPUT_ENV.
$var_name is the name of the variable to filter.
$filter is the filter id to apply. Here’s the list of valid filters. If you omit the $filter argument, the filter_input() function will use the FILTER_DEFAULT filter id, which doesn’t filter anything.
$options is an associative array that consists of one or more options. You can use one or more flags when a filter accepts the options. If you want to use multiple flags, you need to separate them by the (|), e.g., FILTER_SANITIZE_ENCODED | FILTER_SANITIZE_SPECIAL_CHARS.

The filter_input() function returns null, false, or the filtered value according to the following rules:

If the $var_name is not set, the filte_input() function returns null.
If the filter fails, the filter_input() function returns false.
Otherwise, it returns the filtered value of the requested variable.

The following example uses the filter_input() function to sanitize data for a search form:

`<?php

$term_html = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS); $term_url = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_ENCODED);

Search $term_html ."; }`Code language: HTML, XML (xml) How the form works. The form has an input with the type `search` and a submit button. When you enter a search term, e.g., `how to use the filter_input function` and click the submit button; the form uses the GET method to append the term query string to the URL, e.g., `http://localhost/search.php?term=how+to+use+the+filter_input+function`Code language: plaintext (plaintext) This search form submits itself (`search.php`). The `filter_input()` function sanitizes the search term using the `FILTER_SANITIZE_SPECIAL_CHARS` and `FILTER_SANITIZE_ENCODED` filters. The `FILTER_SANITIZE_SPECIAL_CHARS` filter returns a value for showing on the search field and the `FILTER_SANITIZE_ENCODED` filter returns a value for displaying on the page. ## filter\_input vs. filter\_var [#](#filter%5Finput-vs-filter%5Fvar "Anchor for filter_input vs. filter_var") The following table shows the comparison of the `filter_input` and `filter_var` functions: | Feature / Aspect | filter\_input() | filter\_var() | | ------------------------ | ------------------------------------------------------------ | -------------------------------------------------------------- | | **Purpose** | Validiate and sanitize inputs like POST request. | Validate and sanize a **variable you already have** in memory. | | **Input** | INPUT\_\* such asINPUT\_GET andINPUT\_POST | Any local variable ($id, $email, etc.) | | **Validation Example** | filter\_input(INPUT\_GET, 'email', FILTER\_VALIDATE\_EMAIL) | filter\_var($email, FILTER\_VALIDATE\_EMAIL) | | **Sanitization Example** | filter\_input(INPUT\_POST, 'name', FILTER\_SANITIZE\_STRING) | filter\_var($name, FILTER\_SANITIZE\_STRING) | | **Returns** | Filtered value on success, false on failure or not found | Filtered value on success, false on validation failure | | **Fails When** | Variable is not set in the input type or validation fails | Variable is invalid or fails validation | | **Use Case** | Validate / sanitize form input | validate/ sanitnize variables | ## Summary [#](#summary "Anchor for Summary") * Use the PHP `filter_input()` function to sanitize and validate data from external variables. * Use the `filter_input()` function when you need to validate and sanitize data coming directly from user and `filter_var()` ưhen the input is alrady in a variable. Did you find this tutorial useful?