PHP filter_input Function

Summary: in this tutorial, you will learn how to use the PHP filter_input() function to get an external variable by name and filter it.

Introduction to PHP filter_input() function #

When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs, databases, or third-party API.

A good rule of thumb is that you should never trust external data and always:

Sanitize and validate data before storing it in the database.
Escapce data before displaying it on a web page.

Suppose, you have a URL that contains a query string like this:

http://localhost/index.php?id=10Code language: plaintext (plaintext)

And you want to display the $id on the page:

echo $_GET['id'];Code language: PHP (php)

In this case, you see that the page displays the number 10.

However, a malicious hacker may change the value of id to something code like this:

%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

And the URL will be:

http://localhost/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C/script%3ECode language: PHP (php)

In this case, you’ll see an alert on the web browser instead. In this example, the value of id is not a number but a piece of JavaScript code that shows an alert.

Imagine the following situation:

First, a hacker creates a link to the page on a legitimate domain (https://www.mybank.com/login/?id=...). with an id that contains malicious code instead of a valid number. Unfortunately, the page doesn’t sanitize and validate the input.
Second, the hacker embeds the link in an email and sends it to the users of the mybank.com.
Third, users see the link with a legitimate domain and click it. When they arrive at the page, they’re redirected to the hacker’s website with the same look and feel (https://www.mybank.on-a-malicious-domain.com/login/).
Finally, users enter their accounts and lose their bank credentials to the hacker.

To prevent this, you must always sanitize and validate data before processing it.

Sanitization disables potential malicious code from data before processing it.
Validation ensures the data is in the correct format regarding data type, range, and value.

The PHP filter_input() function allows you to get an external variable by its name and filter it using one or more built-in filters.

Here’s the syntax of the filter_input() function:

filter_input ( int $type , string $var_name , int $filter = FILTER_DEFAULT , array|int $options = 0 ) : mixedCode language: PHP (php)

The filter_input() function has the following parameters:

$type is one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, and INPUT_ENV.
$var_name is the name of the variable to filter.
$filter is the filter id to apply. Here’s the list of valid filters. If you omit the $filter argument, the filter_input() function will use the FILTER_DEFAULT filter id, which doesn’t filter anything.
$options is an associative array that consists of one or more options. You can use one or more flags when a filter accepts the options. If you want to use multiple flags, you need to separate them by the (|), e.g., FILTER_SANITIZE_ENCODED | FILTER_SANITIZE_SPECIAL_CHARS.

The filter_input() function returns null, false, or the filtered value according to the following rules:

If the $var_name is not set, the filte_input() function returns null.
If the filter fails, the filter_input() function returns false.
Otherwise, it returns the filtered value of the requested variable.

PHP filter_input() function example #

The following example uses the filter_input() function to sanitize data for a search form:

<?php

$term_html = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);
$term_url = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_ENCODED);

?>
<form action="search.php" method="get">
    <label for="term"> Search </label>
    <input type="search" name="term" id="term" value="<?php echo $term_html ?>">
    <input type="submit" value="Search">
</form>

<?php

if (null !== $term_html) {
	echo "The search result for <mark> $term_html </mark>.";
}Code language: HTML, XML (xml)

How the form works.

The form has an input with the type search and a submit button.

When you enter a search term, e.g., how to use the filter_input function and click the submit button; the form uses the GET method to append the term query string to the URL, e.g.,

http://localhost/search.php?term=how+to+use+the+filter_input+functionCode language: plaintext (plaintext)

This search form submits itself (search.php).

The filter_input() function sanitizes the search term using the FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_ENCODED filters.

The FILTER_SANITIZE_SPECIAL_CHARS filter returns a value for showing on the search field and the FILTER_SANITIZE_ENCODED filter returns a value for displaying on the page.

filter_input vs. filter_var #

The following table shows the comparison of the filter_input and filter_var functions:

Feature / Aspect	`filter_input()`	`filter_var()`
Purpose	Validiate and sanitize inputs like POST request.	Validate and sanize a variable you already have in memory.
Input	`INPUT_*` such as`INPUT_GET` and`INPUT_POST`	Any local variable (`$id`, `$email`, etc.)
Validation Example	`filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL)`	`filter_var($email, FILTER_VALIDATE_EMAIL)`
Sanitization Example	`filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING)`	`filter_var($name, FILTER_SANITIZE_STRING)`
Returns	Filtered value on success, `false` on failure or not found	Filtered value on success, `false` on validation failure
Fails When	Variable is not set in the input type or validation fails	Variable is invalid or fails validation
Use Case	Validate / sanitize form input	validate/ sanitnize variables

Summary #

Use the PHP filter_input() function to sanitize and validate data from external variables.
Use the filter_input() function when you need to validate and sanitize data coming directly from user and filter_var() ưhen the input is alrady in a variable.

Did you find this tutorial useful?