Sjoerd Maessen blog

Input validation with filter functions

Written by

in

Introduction
Although PHP has a lot of filter functions available, I found that still to many people are using (often incorrect) regular expressions to validate user input. The filter extension is simple, standard available and will fulfill the common validations. Below some pratical examples and things to consider when working with PHP filter functions.

Which are available?
Below a shameless copy paste of the PHP documentation.

  • filter_has_var — Checks if variable of specified type exists
  • filter_id — Returns the filter ID belonging to a named filter
  • filter_input_array — Gets external variables and optionally filters them
  • filter_input — Gets a specific external variable by name and optionally filters it
  • filter_list — Returns a list of all supported filters
  • filter_var_array — Gets multiple variables and optionally filters them
  • filter_var — Filters a variable with a specified filter

Pratical use

Sanitizing
“Filter input escape output” every developer knows this but it is a repetitive job but with the filter extension filterering input became a lot easier. When you correctly filter input you drastically lower the change of application vulnerabilities.

Sanitizing a single variable

$sText = ' ';
$sText = filter_var($sText, FILTER_SANITIZE_STRING);
echo $sText; // This is a comment from a alert("scriptkiddie");

Sanitizing multiple variables, same principle as above but with an array, the filter will sanitize all values inside the array

filter_var_array($_POST, FILTER_SANITIZE_STRING);

Validating an email address

if(filter_var($sEmail, FILTER_VALIDATE_EMAIL) === false) {
     $this->addError('Invalid email address', $sEmail);
}

Validation a complete array
Validating all your data at once with a single filter will make your code clear, all in one place and is more easy to maintain an example below.

$aData = array(
	'student'	=> 'Sjoerd Maessen',
	'class'		=> '21',
	'grades' => array(
			'math' => 9,
			'geography' => 66,
			'gymnastics' => 7.5
	)
);

$aValidation = array(
	'student'	=> FILTER_SANITIZE_STRING,
	'class'		=> FILTER_VALIDATE_INT,
	'grades'	=> array(
				'filter' => FILTER_VALIDATE_INT,
				'flags'	 => FILTER_FORCE_ARRAY,
				'options'=> array('min_range'=>0, 'max_range'=>10))
);

echo '
';
var_dump(filter_var_array($aData, $aValidation));

/*array(3) {
  ["student"]=>
  string(14) "Sjoerd Maessen"
  ["class"]=>
  int(21) // Thats strange, my string is converted
  ["grades"]=>
  array(3) {
    ["math"]=>
    int(9)
    ["geography"]=>
    bool(false) // 66 is > 10
    ["gymnastics"]=>
    bool(false) // 7.5 is not an int
  }
}*/



Note: okay I did not expect that the string '21' would validate true against FILTER_VALIDATE_INT, after some more testing I also noticed that min_range and max_range only work with FILTER_VALIDATE_INT, when using floats or scalars the options are just ignored, so be aware!


The sanitizing examples above can be made easily more restrictive by adding flags like FILTER_FLAG_STRIP_LOW to the sanitize filter, FILTER_FLAG_STRIP_LOW will for example strip all characters that have a numerical value below 32.


Things to consider

Although the filter functions are some time available some of them aren't flawless, at some points the documentation is missing or very unclear. Another example is the filter_var validation for IPv6 addresses. (see bug report #50117). So it is always a good thing to check if the filter is really doing what you expect it does. Write testcases before using. If you use it correctly you can write your validations in the blink of an eye, and this extension will be your new best friend.


Links

Filter functions

Filter flags

Comments

10,898 responses to “Input validation with filter functions”

  1. rentry.co Avatar
    rentry.co

    References:

    St louis casino

    References:
    https://squareblogs.net/taiwangrape30/beste-echtgeld-casinos-online

  2. LamarAwaiz Avatar
    LamarAwaiz

    п»їcialis generic Generic Cialis without a doctor prescription Cialis 20mg price in USA

  3. LamarAwaiz Avatar
    LamarAwaiz

    safe online pharmacies in canada legit pharmacy websites 24 hr pharmacy near me

  4. JustinBrero Avatar
    JustinBrero

    legitimate canadian mail order pharmacy: specialty pharmacy – online pharmacy 365 pills

  5. LamarAwaiz Avatar
    LamarAwaiz

    CoreBlue Health over the counter sildenafil Viagra online price

  6. JamesMek Avatar
    JamesMek

    https://corebluehealth.shop/# buy viagra here

  7. JustinBrero Avatar
    JustinBrero

    polish pharmacy online uk: CivicMeds – reputable canadian online pharmacy

  8. JustinBrero Avatar
    JustinBrero

    best canadian online pharmacy: reputable canadian online pharmacies – canadian pharmacy price checker

  9. LamarAwaiz Avatar
    LamarAwaiz

    viagra without prescription generic sildenafil buy Viagra over the counter

  10. DavidHoict Avatar
    DavidHoict

    https://corebluehealth.shop/# sildenafil 50 mg price

  11. DavidHoict Avatar
    DavidHoict

    https://veritascarepharm.shop/# VeritasCare

  12. LamarAwaiz Avatar
    LamarAwaiz

    VeritasCare VeritasCare VeritasCare

  13. DavidHoict Avatar
    DavidHoict

    https://civicmeds.shop/# canadianpharmacyworld

  14. JustinBrero Avatar
    JustinBrero

    VeritasCare: Cialis over the counter – Tadalafil Tablet

  15. LamarAwaiz Avatar
    LamarAwaiz

    CoreBlue Health buy viagra here Viagra Tablet price

  16. MichaelDreni Avatar
    MichaelDreni

    https://pinupazz.top/ pin up az

  17. EddieOrdix Avatar
    EddieOrdix

    https://pinupazz.top/ pin up casino

  18. MichaelDreni Avatar
    MichaelDreni

    https://pinupazz.top/ pin-up oyunu

  19. OdellCUm Avatar
    OdellCUm

    pin up az online pin-up online casino

  20. EddieOrdix Avatar
    EddieOrdix

    pin up pin up az

  21. DanielTum Avatar
    DanielTum

    https://pin-up-kz.space/ пин ап кз

  22. EddieOrdix Avatar
    EddieOrdix

    https://pinupazz.top/ pin up casino

  23. OdellCUm Avatar
    OdellCUm

    pin up az online pin up casino

  24. DanielTum Avatar
    DanielTum

    пин ап пин ап казино

  25. GeorgeBug Avatar
    GeorgeBug

    https://pinupaz.online/ pin up

  26. EddieOrdix Avatar
    EddieOrdix

    https://pinupazz.top/ pin-up oyunu

  27. GeorgeBug Avatar
    GeorgeBug

    pin up az online pin up

  28. GeorgeBug Avatar
    GeorgeBug

    pin up pin-up online casino

  29. DanielTum Avatar
    DanielTum

    пин ап пин ап казино

  30. OdellCUm Avatar
    OdellCUm

    https://pinupaz.online/ pin up casino

  31. DanielTum Avatar
    DanielTum

    пин ап пин ап казино

  32. EddieOrdix Avatar
    EddieOrdix

    pin up pin up az

  33. EddieOrdix Avatar
    EddieOrdix

    pin up pin up az

  34. DanielTum Avatar
    DanielTum

    пин ап пин ап кз

  35. DanielTum Avatar
    DanielTum

    пин ап пин ап кз

  36. EddieOrdix Avatar
    EddieOrdix

    pin up pin up az

  37. GeorgeBug Avatar
    GeorgeBug

    pin-up pin up

  38. GeorgeBug Avatar
    GeorgeBug

    https://pinupaz.online/ pin-up online casino

  39. OdellCUm Avatar
    OdellCUm

    https://pinupaz.online/ pin-up online casino

  40. GeorgeBug Avatar
    GeorgeBug

    https://pinupaz.online/ pin up

  41. EddieOrdix Avatar
    EddieOrdix

    pin up pin up

  42. DanielTum Avatar
    DanielTum

    пин ап пин ап казино kz

  43. EddieOrdix Avatar
    EddieOrdix

    pin up pin up az

  44. DanielTum Avatar
    DanielTum

    https://pin-up-kz.space/ пин ап кз

  45. OdellCUm Avatar
    OdellCUm

    https://pinupaz.online/ pin-up oyunu

  46. DanielTum Avatar
    DanielTum

    пин ап пин ап кз

  47. EddieOrdix Avatar
    EddieOrdix

    https://pinupazz.top/ pin-up oyunu

  48. EddieOrdix Avatar
    EddieOrdix

    https://pinupazz.top/ pin up az

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts