filter_input
Description
The filter_input of Filter for PHP gets a specific external variable by name and optionally filters it.
Syntax
filter_input( int $type, string $var_name, int $filter = FILTER_DEFAULT, array|int $options = 0 ): mixed
Parameters
type
One of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, or INPUT_ENV.
var_name
Name of a variable to get.
filter
The ID of the filter to apply.
If omitted, FILTER_DEFAULT will be used, which is equivalent to FILTER_UNSAFE_RAW. This will result in no filtering taking place by default.
ID | Name | Options | Flags | Description |
---|---|---|---|---|
FILTER_VALIDATE_BOOLEAN | "boolean" | default | FILTER_NULL_ON_FAILURE | Returns TRUE for "1", "true", "on" and "yes". Returns FALSE otherwise. If FILTER_NULL_ON_FAILURE is set, FALSE is returned only for "0", "false", "off", "no", and "", and NULL is returned for all non-boolean values. |
FILTER_VALIDATE_DOMAIN | "validate_domain" | default | FILTER_FLAG_HOSTNAME | Validates whether the domain name label lengths are valid. Validates domain names against RFC 1034, RFC 1035, RFC 952, RFC 1123, RFC 2732, RFC 2181, and RFC 1123. Optional flag FILTER_FLAG_HOSTNAME adds ability to specifically validate hostnames (they must start with an alphanumeric character and contain only alphanumerics or hyphens). |
FILTER_VALIDATE_EMAIL | "validate_email" | default | FILTER_FLAG_EMAIL_UNICODE | Validates whether the value is a valid e-mail address. In general, this validates e-mail addresses against the syntax in RFC 822, with the exceptions that comments and whitespace folding and dotless domain names are not supported. |
FILTER_VALIDATE_FLOAT | "float" | default, decimal, min_range, max_range | FILTER_FLAG_ALLOW_THOUSAND | Validates value as float, optionally from the specified range, and converts to float on success. |
FILTER_VALIDATE_INT | "int" | default, min_range, max_range | FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX | Validates value as integer, optionally from the specified range, and converts to int on success. |
FILTER_VALIDATE_IP | "validate_ip" | default | FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE | Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges. |
FILTER_VALIDATE_MAC | "validate_mac_address" | default | Validates value as MAC address. | |
FILTER_VALIDATE_REGEXP | "validate_regexp" | default, regexp | Validates value against regexp, a Perl-compatible regular expression. | |
FILTER_VALIDATE_URL | "validate_url" | default | FILTER_FLAG_SCHEME_REQUIRED, FILTER_FLAG_HOST_REQUIRED, FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED | Validates value as URL (according to http://www.faqs.org/rfcs/rfc2396), optionally with required components. Beware a valid URL may not specify the HTTP protocol http:// so further validation may be required to determine the URL uses an expected protocol, e.g. ssh:// or mailto:. Note that the function will only find ASCII URLs to be valid; internationalized domain names (containing non-ASCII characters) will fail. |
ID | Name | Flags | Description |
---|---|---|---|
FILTER_SANITIZE_EMAIL | "email" | Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[]. | |
FILTER_SANITIZE_ENCODED | "encoded" | FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH | URL-encode string, optionally strip or encode special characters. |
FILTER_SANITIZE_MAGIC_QUOTES | "magic_quotes" | Apply addslashes(). | |
FILTER_SANITIZE_NUMBER_FLOAT | "number_float" | FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC | Remove all characters except digits, +- and optionally .,eE. |
FILTER_SANITIZE_NUMBER_INT | "number_int" | Remove all characters except digits, plus and minus sign. | |
FILTER_SANITIZE_SPECIAL_CHARS | "special_chars" | FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_HIGH | HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters. |
FILTER_SANITIZE_FULL_SPECIAL_CHARS | "full_special_chars" | FILTER_FLAG_NO_ENCODE_QUOTES, | Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this filter is aware of the default_charset and if a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string. When using this filter as a default filter, see the warning below about setting the default flags to 0. |
FILTER_SANITIZE_STRING | "string" | FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP | Strip tags, optionally strip or encode special characters. |
FILTER_SANITIZE_STRIPPED | "stripped" | Alias of "string" filter. | |
FILTER_SANITIZE_URL | "url" | Remove all characters except letters, digits and $-_.+!*'(),{}|\^~[]`<>#%";/?:@&=. | |
FILTER_UNSAFE_RAW | "unsafe_raw" | FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP | Do nothing, optionally strip or encode special characters. This filter is also aliased to FILTER_DEFAULT. |
ID | Name | Options | Flags | Description |
---|---|---|---|---|
FILTER_CALLBACK | "callback" | callable function or method | All flags are ignored | Call user-defined function to filter data. |
ID | Used with | Description |
---|---|---|
FILTER_FLAG_STRIP_LOW | FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW | Strips characters that have a numerical value <32. |
FILTER_FLAG_STRIP_HIGH | FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW | Strips characters that have a numerical value >127. |
FILTER_FLAG_STRIP_BACKTICK | FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW | Strips backtick characters. |
FILTER_FLAG_ALLOW_FRACTION | FILTER_SANITIZE_NUMBER_FLOAT | Allows a period (.) as a fractional separator in numbers. |
FILTER_FLAG_ALLOW_THOUSAND | FILTER_SANITIZE_NUMBER_FLOAT, FILTER_VALIDATE_FLOAT | Allows a comma (,) as a thousands separator in numbers. |
FILTER_FLAG_ALLOW_SCIENTIFIC | FILTER_SANITIZE_NUMBER_FLOAT | Allows an e or E for scientific notation in numbers. |
FILTER_FLAG_NO_ENCODE_QUOTES | FILTER_SANITIZE_STRING | If this flag is present, single (') and double (") quotes will not be encoded. |
FILTER_FLAG_ENCODE_LOW | FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW | Encodes all characters with a numerical value <32. |
FILTER_FLAG_ENCODE_HIGH | FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW | Encodes all characters with a numerical value >127. |
FILTER_FLAG_ENCODE_AMP | FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW | Encodes ampersands (&). |
FILTER_NULL_ON_FAILURE | FILTER_VALIDATE_BOOLEAN | Returns NULL for unrecognized boolean values. |
FILTER_FLAG_ALLOW_OCTAL | FILTER_VALIDATE_INT | Regards inputs starting with a zero (0) as octal numbers. This only allows the succeeding digits to be 0-7. |
FILTER_FLAG_ALLOW_HEX | FILTER_VALIDATE_INT | Regards inputs starting with 0x or 0X as hexadecimal numbers. This only allows succeeding characters to be a-fA-F0-9. |
FILTER_FLAG_EMAIL_UNICODE | FILTER_VALIDATE_EMAIL | Allows the local part of the email address to contain Unicode characters. |
FILTER_FLAG_IPV4 | FILTER_VALIDATE_IP | Allows the IP address to be in IPv4 format. |
FILTER_FLAG_IPV6 | FILTER_VALIDATE_IP | Allows the IP address to be in IPv6 format. |
FILTER_FLAG_NO_PRIV_RANGE | FILTER_VALIDATE_IP | Fails validation for the following private IPv4 ranges: 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16. Fails validation for the IPv6 addresses starting with FD or FC. |
FILTER_FLAG_NO_RES_RANGE | FILTER_VALIDATE_IP | Fails validation for the following reserved IPv4 ranges: 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8 and 240.0.0.0/4. Fails validation for the following reserved IPv6 ranges: ::1/128, ::/128, ::ffff:0:0/96 and fe80::/10. |
FILTER_FLAG_SCHEME_REQUIRED | FILTER_VALIDATE_URL | Requires the URL to contain a scheme part. |
FILTER_FLAG_HOST_REQUIRED | FILTER_VALIDATE_URL | Requires the URL to contain a host part. |
FILTER_FLAG_PATH_REQUIRED | FILTER_VALIDATE_URL | Requires the URL to contain a path part. |
FILTER_FLAG_QUERY_REQUIRED | FILTER_VALIDATE_URL | Requires the URL to contain a query string. |
FILTER_REQUIRE_SCALAR | Requires the value to be scalar. | |
FILTER_REQUIRE_ARRAY | Requires the value to be an array. | |
FILTER_FORCE_ARRAY | If the value is a scalar, it is treated as array with the scalar value as only element. |
options
Associative array of options or bitwise disjunction of flags. If filter accepts options, flags can be provided in "flags" field of array.
Return
Returns the value of the requested variable on success, false if the filter fails, or null if the var_name variable is not set. If the flag FILTER_NULL_ON_FAILURE is used, it returns false if the variable is not set and null if the filter fails.
Examples
1 · type · INPUT_GET
<? // https://mydomain.com?myvariable $type = INPUT_GET; $var_name = "myvariable"; $return = filter_input($type, $var_name); var_export($return); ?>
NULL
2 · type · INPUT_POST
<? $type = INPUT_POST; $var_name = "myvariable"; $return = filter_input($type, $var_name); var_export($return); ?>
NULL
3 · type · INPUT_COOKIE
<? $type = INPUT_COOKIE; $var_name = "myvariable"; $return = filter_input($type, $var_name); var_export($return); ?>
NULL
4 · type · INPUT_SERVER
<? $type = INPUT_SERVER; $var_name = "myvariable"; $return = filter_input($type, $var_name); var_export($return); ?>
NULL
5 · type · INPUT_ENV
<? $type = INPUT_ENV; $var_name = "myvariable"; $return = filter_input($type, $var_name); var_export($return); ?>
NULL
6 · filter
<? $type = INPUT_GET; $var_name = "myvariable"; $filter = FILTER_VALIDATE_BOOLEAN; $return = filter_input($type, $var_name, $filter); var_export($return); ?>
NULL
7 · options
<? $type = INPUT_GET; $var_name = "myvariable"; $filter = FILTER_DEFAULT; $options = ["options" => ["myvariable1", "myvariable2"]]; $return = filter_input($type, $var_name, $filter, $options); var_export($return); ?>
NULL