{"id":1134,"date":"2021-04-15T01:23:17","date_gmt":"2021-04-15T01:23:17","guid":{"rendered":"https:\/\/phptutorial.net\/?page_id=1134"},"modified":"2025-04-07T08:41:08","modified_gmt":"2025-04-07T08:41:08","slug":"php-filter_input","status":"publish","type":"page","link":"https:\/\/www.phptutorial.net\/php-tutorial\/php-filter_input\/","title":{"rendered":"PHP filter_input Function"},"content":{"rendered":"\n<p><strong>Summary<\/strong>: in this tutorial, you will learn how to use the PHP <code>filter_input()<\/code> function to get an external variable by name and filter it.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id='introduction-to-php-filter_input-function'>Introduction to PHP filter_input() function <a href=\"#introduction-to-php-filter_input-function\" class=\"anchor\" id=\"introduction-to-php-filter_input-function\" title=\"Anchor for Introduction to PHP filter_input() function\">#<\/a><\/h2>\n\n\n\n<p>When dealing with external data, you need to sanitize and validate it for security purposes. The external data may come from user inputs, databases, or third-party API.<\/p>\n\n\n\n<p>A good rule of thumb is that you should never trust external data and always:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sanitize and validate data before storing it in the database.<\/li>\n\n\n\n<li><a href=\"https:\/\/phptutorial.net\/php-tutorial\/php-htmlspecialchars\/\">Escapce data <\/a>before displaying it on a web page.<\/li>\n<\/ul>\n\n\n\n<p>Suppose, you have a URL that contains a query string like this:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-1\" data-shcb-language-name=\"plaintext\" data-shcb-language-slug=\"plaintext\"><span><code class=\"hljs language-plaintext\">http:&#47;&#47;localhost\/index.php?id=10<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-1\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">plaintext<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">plaintext<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>And you want to display the <code>$id<\/code> on the page:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-2\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\"><span class=\"hljs-keyword\">echo<\/span> $_GET&#91;<span class=\"hljs-string\">'id'<\/span>];<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-2\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>In this case, you see that the page displays the number 10.<\/p>\n\n\n\n<p>However, a malicious hacker may change the value of <code>id<\/code> to something code like this:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-3\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">%<span class=\"hljs-number\">3<\/span>Cscript%<span class=\"hljs-number\">3<\/span>Ealert(%<span class=\"hljs-number\">27<\/span>Hi%<span class=\"hljs-number\">27<\/span>)%<span class=\"hljs-number\">3<\/span>C\/script%<span class=\"hljs-number\">3<\/span>E<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-3\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>And the URL will be:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-4\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">http:<span class=\"hljs-comment\">\/\/localhost\/index.php?id=%3Cscript%3Ealert(%27Hi%27)%3C\/script%3E<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-4\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>In this case, you&#8217;ll see an alert on the web browser instead. In this example, the value of id is not a number but a <a href=\"https:\/\/www.javascripttutorial.net\/javascript-bom\/javascript-alert\/\" target=\"_blank\" rel=\"noreferrer noopener\">piece of JavaScript code that shows an alert<\/a>.<\/p>\n\n\n\n<p>Imagine the following situation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>First, a hacker creates a link to the page on a legitimate domain (<code>https:\/\/www.mybank.com\/login\/?id=...<\/code>). with an <code>id<\/code> that contains malicious code instead of a valid number. Unfortunately, the page doesn&#8217;t sanitize and validate the input.<\/li>\n\n\n\n<li>Second, the hacker embeds the link in an email and sends it to the users of the <code>mybank.com<\/code>.<\/li>\n\n\n\n<li>Third, users see the link with a legitimate domain and click it. When they arrive at the page, they&#8217;re redirected to the hacker&#8217;s website with the same look and feel (<code>https:\/\/www.mybank.on-a-malicious-domain.com\/login\/<\/code>).<\/li>\n\n\n\n<li>Finally, users enter their accounts and lose their bank credentials to the hacker.<\/li>\n<\/ul>\n\n\n\n<p>To prevent this, you must always sanitize and validate data before processing it.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Sanitization <\/strong>disables potential malicious code from data before processing it.<\/li>\n\n\n\n<li><strong>Validation <\/strong>ensures the data is in the correct format regarding data type, range, and value.<\/li>\n<\/ul>\n\n\n\n<p>The PHP <code>filter_input()<\/code> function allows you to get an external variable by its name and filter it using one or more built-in filters.<\/p>\n\n\n\n<p>Here&#8217;s the syntax of the <code>filter_input()<\/code> function:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-5\" data-shcb-language-name=\"PHP\" data-shcb-language-slug=\"php\"><span><code class=\"hljs language-php\">filter_input ( int $type , string $var_name , int $filter = FILTER_DEFAULT , <span class=\"hljs-keyword\">array<\/span>|int $options = <span class=\"hljs-number\">0<\/span> ) : mixed<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-5\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">PHP<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">php<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>The <code>filter_input()<\/code> function has the following parameters:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>$type<\/code> is one of <code>INPUT_GET<\/code>, <code>INPUT_POST<\/code>, <code>INPUT_COOKIE<\/code>, <code>INPUT_SERVER<\/code>, and <code>INPUT_ENV<\/code>.<\/li>\n\n\n\n<li><code>$var_name<\/code> is the name of the variable to filter.<\/li>\n\n\n\n<li><code>$filter<\/code> is the filter id to apply. Here&#8217;s the list of valid <a href=\"https:\/\/www.php.net\/manual\/en\/filter.constants.php\" target=\"_blank\" rel=\"noreferrer noopener\">filters<\/a>. If you omit the <code>$filter<\/code> argument, the <code>filter_input()<\/code> function will use the <code>FILTER_DEFAULT<\/code> filter id, which doesn&#8217;t filter anything.<\/li>\n\n\n\n<li><code>$options<\/code> is an <a href=\"https:\/\/phptutorial.net\/php-tutorial\/php-associative-arrays\/\">associative array<\/a> that consists of one or more options. You can use one or more flags when a filter accepts the options. If you want to use multiple flags, you need to separate them by the (<code>|<\/code>), e.g., <code>FILTER_SANITIZE_ENCODED | FILTER_SANITIZE_SPECIAL_CHARS<\/code>.<\/li>\n<\/ul>\n\n\n\n<p>The <code>filter_input()<\/code> function returns <code>null<\/code>, <code>false<\/code>, or the filtered value according to the following rules:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If the <code>$var_name<\/code> is not set, the <code>filte_input()<\/code> function returns <code>null<\/code>.<\/li>\n\n\n\n<li>If the filter fails, the <code>filter_input()<\/code> function returns <code>false<\/code>.<\/li>\n\n\n\n<li>Otherwise, it returns the filtered value of the requested variable.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id='php-filter_input-function-example'>PHP filter_input() function example <a href=\"#php-filter_input-function-example\" class=\"anchor\" id=\"php-filter_input-function-example\" title=\"Anchor for PHP filter_input() function example\">#<\/a><\/h2>\n\n\n\n<p>The following example uses the <code>filter_input()<\/code> function to sanitize data for a search form:<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-6\" data-shcb-language-name=\"HTML, XML\" data-shcb-language-slug=\"xml\"><span><code class=\"hljs language-xml\"><span class=\"php\"><span class=\"hljs-meta\">&lt;?php<\/span>\n\n$term_html = filter_input(INPUT_GET, <span class=\"hljs-string\">'term'<\/span>, FILTER_SANITIZE_SPECIAL_CHARS);\n$term_url = filter_input(INPUT_GET, <span class=\"hljs-string\">'term'<\/span>, FILTER_SANITIZE_ENCODED);\n\n<span class=\"hljs-meta\">?&gt;<\/span><\/span>\n<span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">form<\/span> <span class=\"hljs-attr\">action<\/span>=<span class=\"hljs-string\">\"search.php\"<\/span> <span class=\"hljs-attr\">method<\/span>=<span class=\"hljs-string\">\"get\"<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">label<\/span> <span class=\"hljs-attr\">for<\/span>=<span class=\"hljs-string\">\"term\"<\/span>&gt;<\/span> Search <span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">label<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">input<\/span> <span class=\"hljs-attr\">type<\/span>=<span class=\"hljs-string\">\"search\"<\/span> <span class=\"hljs-attr\">name<\/span>=<span class=\"hljs-string\">\"term\"<\/span> <span class=\"hljs-attr\">id<\/span>=<span class=\"hljs-string\">\"term\"<\/span> <span class=\"hljs-attr\">value<\/span>=<span class=\"hljs-string\">\"&lt;?php echo $term_html ?&gt;\"<\/span>&gt;<\/span>\n    <span class=\"hljs-tag\">&lt;<span class=\"hljs-name\">input<\/span> <span class=\"hljs-attr\">type<\/span>=<span class=\"hljs-string\">\"submit\"<\/span> <span class=\"hljs-attr\">value<\/span>=<span class=\"hljs-string\">\"Search\"<\/span>&gt;<\/span>\n<span class=\"hljs-tag\">&lt;\/<span class=\"hljs-name\">form<\/span>&gt;<\/span>\n\n<span class=\"php\"><span class=\"hljs-meta\">&lt;?php<\/span>\n\n<span class=\"hljs-keyword\">if<\/span> (<span class=\"hljs-keyword\">null<\/span> !== $term_html) {\n\t<span class=\"hljs-keyword\">echo<\/span> <span class=\"hljs-string\">\"The search result for &lt;mark&gt; $term_html &lt;\/mark&gt;.\"<\/span>;\n}<\/span><\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-6\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">HTML, XML<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">xml<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>How the form works.<\/p>\n\n\n\n<p>The form has an input with the type <code>search<\/code> and a submit button.<\/p>\n\n\n\n<p>When you enter a search term, e.g., <code>how to use the filter_input function<\/code> and click the submit button; the form uses the GET method to append the term query string to the URL, e.g.,<\/p>\n\n\n<pre class=\"wp-block-code\" aria-describedby=\"shcb-language-7\" data-shcb-language-name=\"plaintext\" data-shcb-language-slug=\"plaintext\"><span><code class=\"hljs language-plaintext\">http:&#47;&#47;localhost\/search.php?term=how+to+use+the+filter_input+function<\/code><\/span><small class=\"shcb-language\" id=\"shcb-language-7\"><span class=\"shcb-language__label\">Code language:<\/span> <span class=\"shcb-language__name\">plaintext<\/span> <span class=\"shcb-language__paren\">(<\/span><span class=\"shcb-language__slug\">plaintext<\/span><span class=\"shcb-language__paren\">)<\/span><\/small><\/pre>\n\n\n<p>This search form submits itself (<code>search.php<\/code>).<\/p>\n\n\n\n<p>The <code>filter_input()<\/code> function sanitizes the search term using the <code>FILTER_SANITIZE_SPECIAL_CHARS<\/code> and <code>FILTER_SANITIZE_ENCODED<\/code> filters.<\/p>\n\n\n\n<p>The <code>FILTER_SANITIZE_SPECIAL_CHARS<\/code> filter returns a value for showing on the search field and the <code>FILTER_SANITIZE_ENCODED<\/code> filter returns a value for displaying on the page.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id='filter_input-vs-filter_var'>filter_input vs. filter_var <a href=\"#filter_input-vs-filter_var\" class=\"anchor\" id=\"filter_input-vs-filter_var\" title=\"Anchor for filter_input vs. filter_var\">#<\/a><\/h2>\n\n\n\n<p>The following table shows the comparison of the <code>filter_input<\/code> and <code>filter_var<\/code> functions:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Feature \/ Aspect<\/th><th><code>filter_input()<\/code><\/th><th><code>filter_var()<\/code><\/th><\/tr><\/thead><tbody><tr><td><strong>Purpose<\/strong><\/td><td>Validiate and sanitize inputs like POST request.<\/td><td>Validate and sanize a <strong>variable you already have<\/strong> in memory.<\/td><\/tr><tr><td><strong>Input<\/strong><\/td><td><code>INPUT_*<\/code> such as<code>INPUT_GET<\/code>  and<code>INPUT_POST<\/code><\/td><td>Any local variable  (<code>$id<\/code>, <code>$email<\/code>, etc.)<\/td><\/tr><tr><td><strong>Validation Example<\/strong><\/td><td><code>filter_input(INPUT_GET, 'email', FILTER_VALIDATE_EMAIL)<\/code><\/td><td><code>filter_var($email, FILTER_VALIDATE_EMAIL)<\/code><\/td><\/tr><tr><td> <strong>Sanitization Example<\/strong><\/td><td><code>filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING)<\/code><\/td><td><code>filter_var($name, FILTER_SANITIZE_STRING)<\/code><\/td><\/tr><tr><td><strong>Returns<\/strong><\/td><td>Filtered value on success, <code>false<\/code> on failure or not found<\/td><td>Filtered value on success, <code>false<\/code> on validation failure<\/td><\/tr><tr><td><strong>Fails When<\/strong><\/td><td>Variable is not set in the input type or validation fails<\/td><td>Variable is invalid or fails validation<\/td><\/tr><tr><td><strong>Use Case<\/strong><\/td><td>Validate \/ sanitize form input<\/td><td>validate\/ sanitnize variables<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id='summary'>Summary <a href=\"#summary\" class=\"anchor\" id=\"summary\" title=\"Anchor for Summary\">#<\/a><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use the PHP <code>filter_input()<\/code> function to sanitize and validate data from external variables.<\/li>\n\n\n\n<li>Use the <code>filter_input()<\/code> function when you need to validate and sanitize data coming directly  from user and <code>filter_var()<\/code> \u01b0hen the input is alrady in a variable.<\/li>\n<\/ul>\n<div class=\"helpful-block-content\" data-title=\"\">\n\t<header>\n\t\t<div class=\"wth-question\">Did you find this tutorial useful?<\/div>\n\t\t<div class=\"wth-thumbs\">\n\t\t\t<button\n\t\t\t\tdata-post=\"1134\"\n\t\t\t\tdata-post-url=\"https:\/\/www.phptutorial.net\/php-tutorial\/php-filter_input\/\"\n\t\t\t\tdata-post-title=\"PHP filter_input Function\"\n\t\t\t\tdata-response=\"1\"\n\t\t\t\tclass=\"wth-btn-rounded wth-yes-btn\"\n\t\t\t>\n\t\t\t\t<svg\n\t\t\t\t\txmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\tfill=\"none\"\n\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\tstroke-width=\"2\"\n\t\t\t\t\tstroke-linecap=\"round\"\n\t\t\t\t\tstroke-linejoin=\"round\"\n\t\t\t\t\tclass=\"feather feather-thumbs-up block w-full h-full\"\n\t\t\t\t>\n\t\t\t\t\t<path\n\t\t\t\t\t\td=\"M14 9V5a3 3 0 0 0-3-3l-4 9v11h11.28a2 2 0 0 0 2-1.7l1.38-9a2 2 0 0 0-2-2.3zM7 22H4a2 2 0 0 1-2-2v-7a2 2 0 0 1 2-2h3\"\n\t\t\t\t\t><\/path>\n\t\t\t\t<\/svg>\n\t\t\t\t<span class=\"sr-only\"> Yes <\/span>\n\t\t\t<\/button>\n\n\t\t\t<button\n\t\t\t\tdata-response=\"0\"\n\t\t\t\tdata-post=\"1134\"\n\t\t\t\tdata-post-url=\"https:\/\/www.phptutorial.net\/php-tutorial\/php-filter_input\/\"\n\t\t\t\tdata-post-title=\"PHP filter_input Function\"\n\t\t\t\tclass=\"wth-btn-rounded wth-no-btn\"\n\t\t\t>\n\t\t\t\t<svg\n\t\t\t\t\txmlns=\"http:\/\/www.w3.org\/2000\/svg\"\n\t\t\t\t\tviewBox=\"0 0 24 24\"\n\t\t\t\t\tfill=\"none\"\n\t\t\t\t\tstroke=\"currentColor\"\n\t\t\t\t\tstroke-width=\"2\"\n\t\t\t\t\tstroke-linecap=\"round\"\n\t\t\t\t\tstroke-linejoin=\"round\"\n\t\t\t\t>\n\t\t\t\t\t<path\n\t\t\t\t\t\td=\"M10 15v4a3 3 0 0 0 3 3l4-9V2H5.72a2 2 0 0 0-2 1.7l-1.38 9a2 2 0 0 0 2 2.3zm7-13h2.67A2.31 2.31 0 0 1 22 4v7a2.31 2.31 0 0 1-2.33 2H17\"\n\t\t\t\t\t><\/path>\n\t\t\t\t<\/svg>\n\t\t\t\t<span class=\"sr-only\"> No <\/span>\n\t\t\t<\/button>\n\t\t<\/div>\n\t<\/header>\n\n\t<div class=\"wth-form hidden\">\n\t\t<div class=\"wth-form-wrapper\">\n\t\t\t<div class=\"wth-title\"><\/div>\n\t\t\t\n\t\t\t<textarea class=\"wth-message\"><\/textarea>\n\n\t\t\t<button class=\"btn btn-primary wth-btn-submit\">Send<\/button>\n\t\t\t<button class=\"btn wth-btn-cancel\">Cancel<\/button>\n\t\t\n\t\t<\/div>\n\t<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>In this tutorial, you will learn how to use the PHP filter_input() function to filter and validate data.<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":15,"menu_order":85,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1134","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/comments?post=1134"}],"version-history":[{"count":5,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1134\/revisions"}],"predecessor-version":[{"id":3204,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/1134\/revisions\/3204"}],"up":[{"embeddable":true,"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/pages\/15"}],"wp:attachment":[{"href":"https:\/\/www.phptutorial.net\/wp-json\/wp\/v2\/media?parent=1134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}