Any significant PHP application and even the simplest of websites accept input. When we speak of input, we're talking about input that is generated by users or external systems, which is then processed by our website or application.
An example of input can be a contact form that is filled out by visitors to your website. The input from the contact form is validated and processed. Another example can be a PHP web application which we develop to display a weather forecast to our users. The input we receive would be in the form of JSON input that is retrieved from a weather API service.
In both examples and in general, all input should be filtered as a matter of security as we do not generate the input ourselves.
The input we receive is from untrusted sources.
What does filtering actually do?
When we filter input, we are refining or narrowing down the input we receive into a range we accept. It's easier to understand with a few examples:
We receive an input which should contain numbers only, but the actual input is 19A8B. Our filter integer function takes 19A8B as parameter and returns the numbers 198 only, i.e the letters A and B are filtered out of the input.
We receive an input which should contain text only i.e no tags, but the actual input is Hello<There which contains the start tag <
. Our filter string function takes Hello<There as parameter and returns the string Hello, i.e the text beginning from the start tag <
to the end of the string is filtered out of the input.
Our next example is to filter form input, let's assume we receive our form input in an array
. We might find it convenient to filter an entire array instead of filtering each variable, which could be many. We're going to work with a simple form which captures an age
and a name
. We expect the age
to be an integer and the name
to be a string.
We use FILTER_SANITIZE_NUMBER_INT
to filter the age and FILTER_SANITIZE_STRING
to filter the name. The PHP functions we use to filter arrays of data is filter_input_array
and filter_var_array
. The functions filter out the data as we expect, the input age=1x3
becomes age=13
and the input name=first<last
becomes name=first
.
Key Takeaways
- Filtering input is a security measure when processing data from untrusted sources.
- PHP has various filtering options to filter input: FILTER_SANITIZE_NUMBER_INT, FILTER_SANITIZE_STRING, etc.
- We can filter form input using the filter_input_array and filter_var_array functions.
Further Reading
This article briefly discussed PHP filtering, PHP has many more functions related to input filtering and validation.