Data Filtering with PHP / Page 2

Data Filtering [con't]

The Three Filters

So let's take a look at the three filters that we just discussed. First up is the filter_has_var() function. This function helps in determining if a variable exists in an input array. It takes two arguments, one of which is any of the constants listed in table 3 on page one of this article, and the other is a variable. For example to check if $_POST array contains a variable called 'avar', you would do:

if (filter_has_var(INPUT_POST, 'avar')) { // your statements here }

The filter_list() function, when executed, generates a list of filters that is supported by the current server. Below is a list of filters supported by my server:

Array ( [0] => int [1] => boolean [2] => float [3] => validate_regexp [4] => validate_url [5] => validate_email [6] => validate_ip [7] => string [8] => stripped [9] => encoded [10] => special_chars [11] => unsafe_raw [12] => email [13] => url [14] => number_int [15] => number_float [16] => magic_quotes [17] => callback )

The third and final function is the filter_id() function. It takes one argument and is used in combination with the names listed in the filter_list() function. It is executed in the following way: filter_id($avalue). When executed it returns a numerical value that represents one of the supported filters i.e.

filter_id('float');

would return:

259

So how is this function useful for you? The main usefulness of this function lies in the fact that it is used as a substitute for PHP constants used by the main filter functions. For example, instead of using FILTER_VALID_FLOAT as an argument when filtering input, you can use:

filter_id('float')

The remaining four filter functions work best when you set their options correctly. PHP offers over thirteen filters, which can broadly be categorized in the following way:

Sanitizing Filters - This filter strips certain characters from a given value and returns the sanitized version. An example use would be:

$float = "10.3"; $filtered = filter_var($float, FILTER_SANITIZE_NUMBER_FLOAT); var_dump($filtered);

When you run the code above you will get the following result:

103

Customized Filters - This filter accepts a user defined function and processes the data according to its requirements.

Validating Filters - This filter validates a given value to check if it is of a particular type such as float or integer or that a given value conforms to a specific format, i.e. URL address.

$var = 20; $filteredINT = filter_var($var, FILTER_VALIDATE_INT); var_dump($filteredINT);

When you run the code above you will get the following result:

int(20)

The filters are identified by constants and many of them have options, flags and in some cases both. Most of the time you are required to use flags with their related filters except for the two listed below, which can be used with any filters:

Below is a list of some of the constants used to sanitized and validate data:

For a full list if constants, for both validation/sanitizing filters, please visit the PHP website. The filters themselves are designed to be used for both single variables and multiple variables. To work with single variables PHP has two filter functions:

filter_input()
filter_var()

The only difference between the two is that the filter_input() function processes variables that came through global arrays such as $_POST and $_GET, while filter_var() processes variables from any other source. The filter_input()funtion takes four arguments:

type- refers to the superglobal array that you intend to use, i.e. $_GET
variable - refers to the name of the variable you want to filter
filter - refers to the filter that you want to use. If omitted, PHP uses the default filter
options - refers to any flags or option you want to set for the operation.

Needless to say, the filter_var() function does not take the "source" option, but does the rest. As a way to demonstrate how to filter variables, I've created a small form with the following code:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="https://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title>Untitled Document</title> </head> <body> <form id="form1" name="form1" method="post" action=""> <table width="100%" border="1"> <tr> <td colspan="2"><h2><strong>Using PHP Filters </strong></h2></td> </tr> <tr> <td width="13%">Text to Filter.</td> <td width="87%"><label> <textarea name="input" id="input"></textarea> </label> </td> </tr> <tr> <td>Select Filter</td> <td><?php $constants = array('int' => 'validate_ip' => 'FILTER_VALIDATE_IP', 'FILTER_VALIDATE_INT', 'float' => 'FILTER_VALIDATE_FLOAT', 'validate_url' => 'FILTER_VALIDATE_URL', 'validate_email' => 'FILTER_VALIDATE_EMAIL', 'string' => 'FILTER_SANITIZE_STRING', 'email' => 'FILTER_SANITIZE_EMAIL', 'url' => 'FILTER_SANITIZE_URL', 'number_int' => 'FILTER_SANITIZE_NUMBER_INT', 'number_float' => 'FILTER_SANITIZE_NUMBER_FLOAT'); echo "<select name='val'>"; foreach($constants as $key=>$value){ echo '<option value='.$key.'>'.$value.'</option>'; } echo '</select>'; ?> </td> </tr> <tr><td colspan="2"> <label> <input type="submit" name="submit" value="Test input" /> </label> </td></tr> </table> </form> </body> </html>

And the code to process the form input:

<?php if(isset($_POST['submit'])){ $constants = filter_input(INPUT_POST,'input', filter_id($_POST['val'])); echo $constants; } ?>

So what have we done here? Basically, we created a form that has a text box that will take input from the user and a menu box that is populated with the various filter constants. The idea is that a user enters a value and then selects a filter option. The list of constants is not exhausted so feel free to add more constants to the array that populates the menu. The $constants array has the following format:

'float' => 'FILTER_VALIDATE_FLOAT'

Now when a constant is selected by the user, the value 'float' will be sent to the processing PHP code. This value is then fed to the filter_input function:

$constants = filter_input(INPUT_POST,'input', filter_id($_POST['val']));

You might be asking why we are using the filter_id() function here. This is because we need to convert the string 'float' to its constants equivalent. Look at the section of the article that deals with the three functions at the beginning of this page to get a better idea of what happens with the code. The constant equivalent of float is FILTER_VALIDATE_FLOAT, which is actually what the filter_input function requires.

Filtering Multiple Variables

Filtering multiple variables goes along the same lines as the filtering single variables. There are two functions that are used to deal with multiple variables:

filter_input_array
filter_var_array

The filter_input_array function takes the following arguments:

type- refers to the superglobal array that you intend to use, i.e. $_GET
definition- refers to a array that defines the arguments. In this case it's a multidimensional array that determines how the variables are to be filtered.

The filter_var_array function takes the following arguments:
data- refers to an array containing the variables that you want to filter
definition- same as filter_input_array function.

Below are some examples of how to use the above functions. Let's start with filter_var_array function:

<?php $data = array('name' => 'Dantago', 'email' => 'dantago@sasha.com', 'url' => 'https://www.dsnoabes.com', 'decimal_num' => '2.2'); $definition = array('name' =>array('filter',FILTER_SANITIZE_STRING, 'flags',FILTER_FLAG_NO_ENCODE_QUOTES), 'email' =>FILTER_SANITIZE_EMAIL, 'url'=>FILTER_VALIDATE_URL, 'decimal_num' => array('filter' => FILTER_VALIDATE_FLOAT, 'options' => array('decimal' => ','), 'flags' => FILTER_FLAG_ALLOW_THOUSAND)); $result = filter_var_array($data, $definition); var_dump($result); ?>

The code above should be easy to understand; first, we set the variables that we want to filter in the array:

...$data = array('name' => 'Dantago',

Then we define how we want them to be filtered:

$definition = array('name' =>array('filter',FILTER_SANITIZE_STRING, 'flags',FILTER_FLAG_NO_ENCODE_QUOTES),

Now, if you want to filter values that come from a form, you will need to use the filter_input_array function. For variables coming from a form, use the same design as $definition above and simply change, this:

$result = filter_var_array($data, $definition);

to this:

$result = filter_input_array(INPUT_POST(or INPUT_GET), $definition);

Conclusion

While these functions provide excellent data validation for PHP applications, they are a bit cumbersome to use. I would suggest that anyone intending to use them should create a class that will not only make it easier to use them but will save time and make for faster development.

Original: June 24, 2009

Find a programming school near you

Zip Code:

Subject: - Select All Subjects - Computer Applications Computer Engineering Computer Science Computer Prog. - Software Dev. Computer Game Programming Web Design Web Development Internet Systems Internet Certification Database Design and Development Information Systems Management Information Technology Project Management Network Design - Development Systems Analyst

Degree: - Select All Degrees - Associate's Bachelor's Master's Doctoral Certificates Diplomas Coursework MBA

Online Campus Both