What is input filtering and why does it matter?

Any significant PHP application and even the simplest of websites accept input. When we speak of input, we're talking about input that is generated by users or external systems, which is then processed by our website or application.

An example of input can be a contact form that is filled out by visitors to your website. The input from the contact form is validated and processed. Another example can be a PHP web application which we develop to display a weather forecast to our users. The input we receive would be in the form of JSON input that is retrieved from a weather API service.

In both examples and in general, all input should be filtered as a matter of security as we do not generate the input ourselves.

The input we receive is from untrusted sources.

What does filtering actually do?

When we filter input, we are refining or narrowing down the input we receive into a range we accept. It's easier to understand with a few examples:

Example filter input integer

We receive an input which should contain numbers only, but the actual input is 19A8B. Our filter integer function takes 19A8B as parameter and returns the numbers 198 only, i.e the letters A and B are filtered out of the input.

Example filter input string

We receive an input which should contain text only i.e no tags, but the actual input is Hello<There which contains the start tag <. Our filter string function takes Hello<There as parameter and returns the string Hello, i.e the text beginning from the start tag < to the end of the string is filtered out of the input.

Example filter form input

Our next example is to filter form input, let's assume we receive our form input in an array. We might find it convenient to filter an entire array instead of filtering each variable, which could be many. We're going to work with a simple form which captures an age and a name. We expect the age to be an integer and the name to be a string.

We use FILTER_SANITIZE_NUMBER_INT to filter the age and FILTER_SANITIZE_STRING to filter the name. The PHP functions we use to filter arrays of data is filter_input_array and filter_var_array. The functions filter out the data as we expect, the input age=1x3 becomes age=13 and the input name=first<last becomes name=first.

Key Takeaways

  • Filtering input is a security measure when processing data from untrusted sources.
  • PHP has various filtering options to filter input: FILTER_SANITIZE_NUMBER_INT, FILTER_SANITIZE_STRING, etc.
  • We can filter form input using the filter_input_array and filter_var_array functions.

Further Reading

This article briefly discussed PHP filtering, PHP has many more functions related to input filtering and validation.