Another method of validating and sanitizing user-input data is the use of PHP filters. To do this, the PHP filter_var()
function is used. The general syntax for this function is:
filter_var(variable, filter, options)
String Sanitation
You may want to clean strings by removing HTML tags. This can be done as follows:
<?php
$str = "<h1>Welcome to the PHP Tutorials!</h1>";
// cleaning the string
$cleanstr = filter_var($str, FILTER_SANITIZE_STRING);
// display cleaned string without the HTML tags
echo $cleanstr;
Integer Validation
The following script validates if the variable is an integer.
<?php
$myint = 13;
if (! filter_var($myint, FILTER_VALIDATE_INT) === false) {
echo "$myint is a valid integer";
} else {
echo "$myint is not a valid integer";
}
But the code above presents a problem when the value of the variable is zero(0). Thus, it is necessary to test first if the value is zero.
<?php
$myint = 0;
if (filter_var($myint, FILTER_VALIDATE_INT) === 0 || ! filter_var($myint, FILTER_VALIDATE_INT) === false) {
echo "$myint is a valid integer";
} else {
echo "$myint is not a valid integer";
}
Validating an IP Address
To validate if the value of a variable is a valid IP address, use the following code.
<?php
$ip_address = "192.168.0.1";
if (! filter_var($ip_address, FILTER_VALIDATE_IP) === false) {
echo "$ip_address is a valid IP address";
} else {
echo "$ip_address is not a valid IP address";
}
To further validate if the IP address is an IPv4 or IPv6 address, you can extend the code as follows:
<?php
$ip_address = "192.168.0.1";
// Validate sample IP address
if(filter_var($ip_address, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
echo "The $ip_address is an IPv4 address";
} else {
echo "The $ip_address is not an IPv4 address";
}
Sanitizing and Validating Email Addresses
To sanitize and validate an email address, use the following example.
<?php
$email = "name@website.com";
// Removing illegal characters
$email = filter_var($email, FILTER_SANITIZE_EMAIL);
// email validation
if (! filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo "$email is a valid email address";
} else {
echo "$email is not a valid email address";
}
Sanitizing and Validating URLs
To clean and validate URL inputs, use the following example.
<?php
$myURL = "https://www.jobtensor.com";
// Removing illegal characters
$myURL = filter_var($myURL, FILTER_SANITIZE_URL);
// Validating url
if (! filter_var($myURL, FILTER_VALIDATE_URL) === false) {
echo "$myURL is a valid URL";
} else {
echo "$myURL is not a valid URL";
}
The filter_list() function
To check all the PHP filter extensions, use the filter_list()
function.
<?php
foreach (filter_list() as $id => $filter) {
echo $filter . " -- " . filter_id($filter);
echo "<br>";
}
Exercise
Remove the HTML tags and validate if it is a valid URL:
$str = "<h1>https://jobtensor.com</h1>"
<?php
$str = "https://jobtensor.com
";
<?php
$str = "<h1>https://jobtensor.com</h1>";
$str = filter_var($str, FILTER_SANITIZE_STRING);
// Removing illegal characters
$str = filter_var($str, FILTER_SANITIZE_URL);
// Validating url
if (! filter_var($str, FILTER_VALIDATE_URL) === false) {
echo "$str is a valid URL";
} else {
echo "$str is not a valid URL";
}
{
"test_output_contains":
{
"expected":"jobtensor.com is a valid URL",
"error_message":"You did not displayed the proper output."
},
"test_variable_exists":
{
"object":"$str",
"error_message":"Have you declared <code>$str<\/code>?"
},
"success_message":"Good job!",
"error_message":"There is something wrong on your code."
}