How To Filter Variable in PHP - filter_var() Function

The filter_var() function filters a variable with the specified filter. There are two types of filters:

  1. Validate filters
  2. Sanitize filters
images/articles/php/filter-variable-in-php-filter-var.jpg

Syntax

filter_var(var, filtername, options)
  • var: Required. The variable to filter
  • filtername: Optional. Specifies the ID or name of the filter to use. Default is FILTER_DEFAULT, which results in no filtering
  • options: Optional. Specifies one or more flags to use. Check each filter for possible options and flags

1. Validate Filters

FILTER_VALIDATE_BOOLEAN

It returns TRUE for "1", "true", "on" and "yes". Returns FALSE otherwise.

FILTER_VALIDATE_EMAIL

It validates whether the value is a valid e-mail address.

FILTER_VALIDATE_FLOAT

It validates value as float, and converts to float on success.

FILTER_VALIDATE_INT

It validates value as integer, optionally from the specified range, and converts to int on success.

FILTER_VALIDATE_IP

It validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.

FILTER_VALIDATE_MAC

It validates value as MAC address.

FILTER_VALIDATE_REGEXP

It validates value against regexp, a Perl-compatible regular expression.

FILTER_VALIDATE_URL

It validates value as URL, optionally with required components.

2. Sanitize Filters

FILTER_SANITIZE_EMAIL

It remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

FILTER_SANITIZE_ENCODED

URL-encode string, optionally strip or encode special characters.

FILTER_SANITIZE_MAGIC_QUOTES

Apply addslashes()

FILTER_SANITIZE_NUMBER_FLOAT

It remove all characters except digits, +- and optionally .,eE.

FILTER_SANITIZE_NUMBER_INT

It remove all characters except digits, plus and minus sign.

FILTER_SANITIZE_SPECIAL_CHARS

HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

FILTER_SANITIZE_FULL_SPECIAL_CHARS

Equivalent to calling htmlspecialchars() with ENT_QUOTES set.

FILTER_SANITIZE_STRING

It strip tags, optionally strip or encode special characters.

FILTER_SANITIZE_URL

It removes all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=. 

3. Filter Flags

FILTER_FLAG_STRIP_LOW

It strips characters that have a numerical value <32. 

FILTER_FLAG_STRIP_HIGH

It strips characters that have a numerical value >127. In almost every encoding, these represent non-ASCII characters.

FILTER_FLAG_STRIP_BACKTICK

It strips backtick characters.

FILTER_FLAG_ALLOW_FRACTION

Allows a period (.) as a fractional separator in numbers.

FILTER_FLAG_ALLOW_THOUSAND

Allows a comma (,) as a thousands separator in numbers.

FILTER_FLAG_ALLOW_SCIENTIFIC

Allows an e or E for scientific notation in numbers.

FILTER_FLAG_NO_ENCODE_QUOTES

If this flag is present, single (') and double (") quotes will not be encoded.

FILTER_FLAG_ENCODE_LOW

it encodes all characters with a numerical value <32. 

FILTER_FLAG_ENCODE_HIGH

It encodes all characters with a numerical value >127. 

FILTER_FLAG_ENCODE_AMP

It encodes ampersands (&).

FILTER_NULL_ON_FAILURE

it returns NULL for unrecognized boolean values. 

FILTER_FLAG_ALLOW_OCTAL

Regards inputs starting with a zero (0) as octal numbers. This only allows the succeeding digits to be 0-7.

FILTER_FLAG_ALLOW_HEX

Regards inputs starting with 0x or 0X as hexadecimal numbers. This only allows succeeding characters to be a-fA-F0-9.

FILTER_FLAG_EMAIL_UNICODE

It allows the local part of the email address to contain Unicode characters.

FILTER_FLAG_IPV4

It allows the IP address to be in IPv4 format. 

FILTER_FLAG_IPV6

It allows the IP address to be in IPv6 format.