Quick Tip: How to Filter Data in PHP

In this article, we’ll look at why it’s important to filter everything built into your application. In particular, we’ll look at how to validate and sanitize external data in PHP.

Don’t trust outside input in your application. This is one of the most important lessons for anyone developing web applications.

The input from the outside can be anything. $_GET When $_POST form input data, some element of the HTTP request body, or $_SERVER super global. Cookies, session values, uploaded and downloaded document files are also considered external inputs.

Whenever your code processes, outputs, includes, or concatenates external data, there is a potential vector for an attacker to inject code into your application (the so-called injection attack). For this reason, you should ensure that all pieces of external data are properly filtered so that they can be safely included in your application.

When it comes to filtering, there are two main types. inspection When Disinfection.

inspection

inspection It guarantees that the input from the outside is what you expect. For example, it might expect an email address, so ********@*****.*** format. for that purpose, FILTER_VALIDATE_EMAIL filter.Or, if you want a boolean, PHP’s FILTER_VALIDATE_BOOL filter.

The most useful filters are: FILTER_VALIDATE_BOOL, FILTER_VALIDATE_INTWhen FILTER_VALIDATE_FLOAT basic type and FILTER_VALIDATE_EMAIL When FILTER_VALIDATE_DOMAIN Filter emails and domain names respectively.

Another very important filter is FILTER_VALIDATE_REGEXP This allows you to filter against regular expressions. This filter allows you to modify the filtering regular expression to create a custom filter.

All filters available for validation in PHP can be found here.

Disinfection

Disinfection The process of removing illegal or unsafe characters from external input.

The best example of this is when sanitizing database input before inserting it into a raw SQL query.

Again, the most useful sanitizing filters include filters that sanitize basic types such as: FILTER_SANITIZE_STRING, FILTER_SANITIZE_CHARS When FILTER_SANITIZE_INTbut also FILTER_SANITIZE_URL When FILTER_SANITIZE_EMAIL Sanitize URLs and emails.

All PHP sanitization filters can be found here.

filter_var() and filter_input()

Now that you know PHP has a full selection of filters available, you need to know how to use them.

Applying a filter filter_var() When filter_input() function.

of filter_var() The function applies the specified filter to the variable. It takes an array of values ​​to filter, filters to apply, and optional options. For example, if you’re trying to validate an email address, you can use:

<?php

$email = your.email@sitepoint.com:

if ( filter_var( $email, FILTER_VALIDATE_EMAIL ) ) {
    echo ("This email is valid");
}

If your goal is to sanitize strings, you can use this.

<?php
$string = "<h1>Hello World</h1>";

$sanitized_string = filter_var ( $string, FILTER_SANITIZE_STRING);
echo $sanitized_string;

of filter_input() The function gets the external input from the form input and filters it.

it works just like filter_var() A function, but it takes a type of input (you can choose from GET, POST, COOKIE, SERVERAlso ENV), variables to filter, and filters. It can optionally take an array of options.

Again, if you want to check if the external input variable ’email’ is being sent via GET We can use this in our application.

<?php

if ( filter_input( INPUT_GET, "email", FILTER_VALIDATE_EMAIL ) ) {
    echo "The email is being sent and is valid.";
}

Conclusion

And these are the basics of data filtering in PHP. You can use other techniques to filter the external data, such as applying regular expressions, but the techniques presented in this article are sufficient for most use cases.

Make sure you understand the difference between validation and sanitization, and how to use the filter functionality. This knowledge will make your PHP applications more reliable and secure.