In this tutorial we're going to look at the PHP filter_input function. What does it mean to filter input and how do we use the filter_input function? We'll look into filter_input when considering SQL injection and go through various filtering examples: filter form input; filter input string and filter input integer. At the end of this tutorial you will have a good understanding of filter_input in PHP.
Any significant PHP application and even the simplest of websites accept input. When we speak of input, we're talking about input that is generated by users or external systems, which is then processed by our website or application.
An example of input can be a contact form that is filled out by visitors to your website. The input from the contact form is validated and processed. Another example can be a PHP web application which we develop to display a weather forecast to our users. The input we receive would be in the form of JSON input that is retrieved from a weather API service.
In both examples and in general, all input should be filtered as a matter of security as we do not generate the input ourselves.
The input we receive is from untrusted sources.
When we filter input, we are refining or narrowing down the input we receive into a range we accept. It's easier to understand with a few examples:
We receive an input which should contain numbers only, but the actual input is 19A8B. Our filter integer function takes 19A8B as parameter and returns the numbers 198 only, i.e the letters A and B are filtered out of the input.
We receive an input which should contain text only i.e no tags, but the actual input is Hello<There which contains the start tag <. Our filter string function takes Hello<There as parameter and returns the string Hello, i.e the text beginning from the start tag < to the end of the string is filtered out of the input.
array. We might find it convenient to filter an entire array instead of filtering each variable, which could be many. We're going to work with a simple form which captures an age and a name. We expect the age to be an integer and the name to be a string.
We use FILTER_SANITIZE_NUMBER_INT to filter the age and FILTER_SANITIZE_STRING to filter the name. The PHP functions we use to filter arrays of data is filter_input_array and filter_var_array. The functions filter out the data as we expect, the input age=1x3 becomes age=13 and the input name=first<last becomes name=first.
This article briefly discussed PHP filtering, PHP has many more functions related to input filtering and validation.