PHP filter_input

Created with Sketch.
PHP Tutorial

PHP filter_input

Summary: in this tutorial, you will learn how to use the PHP filter_input() function to get an external variable by name and filter it.

Introduction to PHP filter_input() function

The PHP filter_input() function allows you to get an external variable by its name and filter it using one or more built-in filters.

The following shows the syntax of the filter_input() function:

filter_input ( int $type , string $var_name , int $filter = FILTER_DEFAULT , array|int $options = 0 ) : mixed

Code language: PHP (php)

The filter_input() function has the following parameters:

  • $type is one of INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, and INPUT_ENV.
  • $var_name is the name of the variable to filter.
  • $filter is the filter id to apply. Here’s the list of valid filters. If you omit the $filter argument, the filter_input() function will use the FILTER_DEFAULT filter id, which doesn’t filter anything.
  • $options is an associative array that consists of one or more options. When a filter accepts the options, you can use one or more flags. If you want to use multiple flags, you need to separate them by the (|) e.g., FILTER_SANITIZE_ENCODED | FILTER_SANITIZE_SPECIAL_CHARS.

The filter_input() function returns null, false, or the filtered value according to the following rules:

  • If the $var_name is not set, the filte_input() function returns null.
  • If the filter fails, the filter_input() function returns false.
  • Otherwise, it returns the filtered value of the requested variable.

PHP filter_input() function example

The following example uses the filter_input() function to sanitize data for a search form:

<?php

$term_html = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);
$term_url = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_ENCODED);

?>
<form action="search.php" method="get">
<label for="term"> Search </label>
<input type="search" name="term" id="term" value="<?php echo $term_html ?>">
<input type="submit" value="Search">
</form>

<?php

if (null !== $term_html) {
echo "The search result for <mark> $term_html </mark>.";
}

Code language: HTML, XML (xml)

How the form works.

The form contains an input with type search and a submit button.

When you enter a search term, e.g., how to use the filter_input function and click the submit button; the form uses the GET method to append the term query string to the URL, e.g.,

http://localhost/search.php?term=how+to+use+the+filter_input+function

Code language: plaintext (plaintext)

This search form submits to itself (search.php).

The filter_input() function sanitizes the search term using the FILTER_SANITIZE_SPECIAL_CHARS and FILTER_SANITIZE_ENCODED filters.

The FILTER_SANITIZE_SPECIAL_CHARS filter returns a value for showing on the search field and the FILTER_SANITIZE_ENCODED filter returns a value for displaying on the page.

filter_input vs. filter_var

If a variable doesn’t exist, the filter_input() function returns null while the filter_var() function returns an empty string and issues a notice of an undefined index.

Suppose you have a page with the following URL:

http://localhost/search.php

Code language: JavaScript (javascript)

The following filter_input() function returns null and doesn’t raise any error when you get the term variable from the INPUT_GET:

<?php

$term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);

Code language: HTML, XML (xml)

Output:

NULL

Code language: plaintext (plaintext)

However, the filter_var() function returns an empty string and issues an error:

<?php

$term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);
var_dump($term);

Code language: HTML, XML (xml)

Output:

Notice: Undefined index: term in ...\search.php on line 3
string(0) ""

Code language: plaintext (plaintext)

Therefore, you often use the isset() or filter_has_var() function to check if a variable is set before passing it to the filter_var() function like this:

<?php

if (isset($_GET['term'])) {
$term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);
var_dump($term);
}

Code language: HTML, XML (xml)

Also, the filter_input() function doesn’t get the current values of the $_GET, $_POST, … superglobal variables. Instead, it uses the original values submitted in the HTTP request. For example:

<?php

$_GET['term'] = 'PHP'; // doesn't have any effect on INPUT_GET
$term = filter_input(INPUT_GET, 'term', FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);

Code language: PHP (php)

Output:

NULL

Code language: plaintext (plaintext)

This example attempts to assign a value to the $_GET['term'] variable. However, the filter_input() doesn’t read the term from the current $_GET variable. Therefore, the script displays NULL.

On the other hand, the filter_var() function does read values from the current $_GET variable. For example:

<?php

$_GET['term'] = 'PHP';
$term = filter_var($_GET['term'], FILTER_SANITIZE_SPECIAL_CHARS);

var_dump($term);

Code language: HTML, XML (xml)

Output:

string(3) "PHP"

Code language: JavaScript (javascript)

Summary

  • Use the PHP filter_input() function to sanitze and validate data from external variables.
0

Leave a Reply

Your email address will not be published. Required fields are marked *

Section 1. Getting Started with PHP

Section 2. PHP Fundamentals

Section 3. PHP Types

Section 4. Operators

Section 5. Control flow

Section 6. Functions

Section 7. Array

Section 8. Sorting Arrays

Section 9. Advanced Functions

Section 10. Variable constructs

Section 11. Advanced Array Operations

Section 12. Organizing PHP files

Section 13. State Management

Section 14. Processing Forms

Section 15. Login System

Section 16. Working with Files

Section 17. Working with Directories

Section 18. String operations

Section 19. Regular Expressions

Section 20. PHP Date & Time

©  2025 python tutorials.  python-tutorials.in