Caution
JavaScript is disabled in your browser.
This site uses JavaScript for features such as search.
For the best experience, please enable JavaScript before browsing this site.
filter_var() / filter_input()
Functions for validating and sanitizing input values. Use them to ensure the safety of data received from external sources.
Syntax
// Applies a filter to a variable.
filter_var($value, $filter, $options);
// Retrieves a value from $_GET, $_POST, $_COOKIE, etc. and applies a filter.
filter_input($type, $var_name, $filter, $options);
Function List
| Function | Description |
|---|
| filter_var($value, $filter, $options) | Applies a filter to a variable for validation or sanitization. Returns false if validation fails. |
| filter_input($type, $var_name, $filter, $options) | Retrieves external input with a filter applied. Pass INPUT_GET, INPUT_POST, INPUT_COOKIE, etc. as the first argument. |
Common Validation Filters
| Filter | Description |
|---|
| FILTER_VALIDATE_EMAIL | Validates the format of an email address. |
| FILTER_VALIDATE_URL | Validates the format of a URL. |
| FILTER_VALIDATE_IP | Validates the format of an IP address. Use FILTER_FLAG_IPV4 or FILTER_FLAG_IPV6 to restrict the version. |
| FILTER_VALIDATE_INT | Validates an integer value. You can specify a minimum and maximum range via options. |
| FILTER_VALIDATE_FLOAT | Validates a floating-point number. |
| FILTER_VALIDATE_BOOLEAN | Validates a boolean value. Recognizes true, yes, on, and 1 as true. ※ Note that passing the string 'false' returns null, not true — this is counterintuitive behavior, so be careful. |
| FILTER_VALIDATE_DOMAIN | Validates the format of a domain name. Available in PHP 7.0 and later. |
Common Sanitization Filters
| Filter | Description |
|---|
| FILTER_SANITIZE_EMAIL | Removes characters that are invalid in an email address. |
| FILTER_SANITIZE_URL | Removes characters that are invalid in a URL. |
| FILTER_SANITIZE_NUMBER_INT | Removes all characters except digits, plus signs, and minus signs. |
| FILTER_SANITIZE_NUMBER_FLOAT | Removes all characters except digits, plus signs, minus signs, and periods. |
| FILTER_SANITIZE_SPECIAL_CHARS | Encodes HTML special characters. |
| FILTER_SANITIZE_ADD_SLASHES | Performs the same processing as addslashes(). Added in PHP 8.1 as a replacement for FILTER_SANITIZE_STRING. |
Sample Code
sample_filter_var.php
<?php
// Validate an email address.
$email = "user@example.com";
if (filter_var($email, FILTER_VALIDATE_EMAIL) !== false) {
echo "Valid email address."; // Passes validation.
}
// An invalid email address returns false.
var_dump(filter_var("not-an-email", FILTER_VALIDATE_EMAIL)); // Outputs: bool(false)
// Validate a URL.
$url = "https://wp-p.info";
if (filter_var($url, FILTER_VALIDATE_URL) !== false) {
echo "Valid URL.";
}
// Validate an integer with a range constraint.
$age = "25";
$options = ['options' => ['min_range' => 0, 'max_range' => 150]];
$valid_age = filter_var($age, FILTER_VALIDATE_INT, $options);
if ($valid_age !== false) {
echo "Age: " . $valid_age; // Outputs: Age: 25
}
// Validate an IP address.
var_dump(filter_var("192.168.1.1", FILTER_VALIDATE_IP)); // Outputs: string(11) "192.168.1.1"
var_dump(filter_var("999.999.999.999", FILTER_VALIDATE_IP)); // Outputs: bool(false)
// Safely retrieve a $_GET value using filter_input().
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT, [
'options' => ['min_range' => 1, 'default' => 1]
]);
// Sanitization example.
$dirty_email = "user
シェアする