Learn FILTERS in PHP for Best Security Performance

Today we will learn about a less used but powerful feature of PHP: the FILTERS. This extension filters data by either validating or sanitizing it. This is especially useful when the data source contains unknown (or foreign) data, like user supplied input. For example, this data may come from an HTML form.
There are two main types of filtering: validation and sanitization.
Validation is used to validate or check if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address, but will not change the data itself.
Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data.

Source: PHP.net

Note: FILTER is available only in PHP version 5.2 or later.

Types of filters:

  • Validate filters
  • Sanitize filters
  • Other filters
  • Filter flags

Validate Filters:
FILTER_VALIDATE_BOOLEAN: Returns TRUE for “1”, “true”, “on” and “yes”. Returns FALSE otherwise.
FILTER_VALIDATE_EMAIL: Validates value as e-mail.
FILTER_VALIDATE_FLOAT: Validates value as float.
FILTER_VALIDATE_INT: Validates value as integer, optionally from the specified range.
FILTER_VALIDATE_IP: Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
FILTER_VALIDATE_REGEXP: Validates value against regexp, a Perl-compatible regular expression.
FILTER_VALIDATE_URL: Validates value as URL.

Examples:
Validating Email address:

<?php
$email_a = 'foo@foo.com';
$email_b = 'invalid@email';

if (filter_var($email_a, FILTER_VALIDATE_EMAIL)) {
echo "This ($email_a) email address is valid.";
}else{
echo "This ($email_a) email address is invalid.";
}
if (filter_var($email_b, FILTER_VALIDATE_EMAIL)) {
echo "This ($email_b) email address is valid.";
}else{
echo "This ($email_b) email address is invalid.";
}

//Output
This (foo@foo.com) email address is valid.
This (invalid@email) email address is invalid.
?>

Validating IP address:

<?php
$ip_a = '127.0.0.1';
$ip_b = '52.69';

if (filter_var($ip_a, FILTER_VALIDATE_IP)) {
echo "This ($ip_a) IP address is valid.";
}else{
echo "This ($ip_a) IP address is invalid.";
}
if (filter_var($ip_b, FILTER_VALIDATE_IP)) {
echo "This ($ip_b) IP address is valid.";
}else{
echo "This ($ip_b) IP address is invalid.";
}

//Output:
This (127.0.0.1) IP address is valid.
This (52.69) IP address is invalid.
?>

Sanitize filters:
FILTER_SANITIZE_EMAIL: Remove all characters except letters, digits and !#$%&’*+-/=?^_`{|}~@.[].
FILTER_SANITIZE_ENCODED: URL-encode string, optionally strip or encode special characters.
FILTER_SANITIZE_MAGIC_QUOTES: Apply addslashes().
FILTER_SANITIZE_NUMBER_FLOAT: Remove all characters except digits, +- and optionally .,eE.
FILTER_SANITIZE_NUMBER_INT: Remove all characters except digits, plus and minus sign.
FILTER_SANITIZE_SPECIAL_CHARS: HTML-escape ‘”<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
FILTER_SANITIZE_STRING: Strip tags, optionally strip or encode special characters.
FILTER_SANITIZE_STRIPPED: Alias of “FILTER_SANITIZE_STRING” filter.
FILTER_SANITIZE_URL: Remove all characters except letters, digits and $-_.+!*'(),{}|\^~[]`<>#%”;/?:@&=.
FILTER_UNSAFE_RAW: Do nothing, optionally strip or encode special characters.

Examples:

<?php
$invalid_email = "(corrupted@-foo dot com)";

if ( !filter_var($sanitized_email, FILTER_VALIDATE_EMAIL) ) {
$sanitized_email = filter_var($invalid_email, FILTER_SANITIZE_EMAIL);
echo "This ($invalid_email) email address is invalid.n";
echo "Sanitized Email is: $sanitized_emailn";
}

//Output:
This ((corrupted@-foo dot com)) email address is invalid.
Sanitized Email is: corrupted@foo.com
?>

Filtering GET & POST Variables:
The filter_input() function gets a specific external variable by name and optionally filters it.
Usage:

mixed filter_input ( int $type , string $variable_name [, int $filter = FILTER_DEFAULT [, mixed $options ]] )

Parameters:
type: One of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV.
variable_name: Name of a variable to get.
filter: The ID of the filter to apply. The Types of filters manual page lists the available filters.
options: Associative array of options or bitwise disjunction of flags. If filter accepts options, flags can be provided in “flags” field of array.

Return Values: Value of the requested variable on success, FALSE if the filter fails, or NULL if the variable_name variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns FALSE if the variable is not set and NULL if the filter fails.

Example:

<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>

Written by Arvind Bhardwaj

Arvind is a Magento and WordPress expert with more than 6 years of industry wide experience.

Website: http://www.webspeaks.in/

3 thoughts on “Learn FILTERS in PHP for Best Security Performance

  1. Excellent post. I used to be checking continuously this blog and I am inspired!
    Very useful info particularly the remaining section :
    ) I maintain such info a lot. I used to be seeking this certain information for a very lengthy
    time. Thanks and best of luck.
    Look into my sitevon uns

Comments are closed.