This function provides us the extremely simple solution for type filtering.
Without this function...
<?php
if (!isset($_GET['a'])) {
$a = null;
} elseif (!is_string($_GET['a'])) {
$a = false;
} else {
$a = $_GET['a'];
}
$b = isset($_GET['b']) && is_string($_GET['b']) ? $_GET['b'] : '';
?>
With this function...
<?php
$a = filter_input(INPUT_GET, 'a');
$b = (string)filter_input(INPUT_GET, 'b');
?>
Yes, FILTER_REQUIRE_SCALAR seems to be set as a default option.
It's very helpful for eliminating E_NOTICE, E_WARNING and E_ERROR.
This fact should be documented.| CARVIEW |
Select Language
HTTP/2 200
server: myracloud
date: Fri, 26 Dec 2025 15:01:07 GMT
content-type: text/html; charset=utf-8
content-language: en
permissions-policy: interest-cohort=()
x-frame-options: SAMEORIGIN
link: ; rel=shorturl
last-modified: Fri, 26 Dec 2025 14:14:46 GMT
vary: accept-encoding
content-encoding: gzip
expires: Fri, 26 Dec 2025 15:01:07 GMT
cache-control: max-age=0
PHP: filter_input - Manual
filter_input
(PHP 5 >= 5.2.0, PHP 7, PHP 8)
filter_input — Récupère une variable externe et la filtre
Description
Liste de paramètres
type-
Une des constantes
INPUT_*.AvertissementLe contenue de la superglobale qui est filtrée est le contenue original "brut" fournit par le SAPI, antérieur à toute modification utilisateur de la superglobale. Pour filter une superglobale modifié utilisez filter_var() à la place.
var_name-
Nom d'une variable à filter contenue dans la superglobale
correspondant à
type. filter-
Le filtre à appliquer.
Peut-être un filtre de validation en utilisant une des constantes
FILTER_VALIDATE_*, un filtre de purification en utilisant une des constantesFILTER_SANITIZE_*, ouFILTER_UNSAFE_RAW, ou un filtre personalisé en utilisantFILTER_CALLBACK.Note: Le filtre par défaut est
FILTER_DEFAULT, qui est un alias deFILTER_UNSAFE_RAW. Ceci resulte en aucun filtrage par default. options-
Soit un array associatif d'option,
soit un masque de bit des constantes des drapeaux de filtrage
FILTER_FLAG_*. Si lefilteraccepte des options, les drapeaux peuvent être fournis en utilisant la clé"flags"du tableau.
Valeurs de retour
Valeur de la variable demandée en cas de succès, false si le filtre échoue,
ou null si la variable var_name n'est pas définie.
Si le drapeau FILTER_NULL_ON_FAILURE est utilisé, la fonction
retournera false si la variable n'est pas définie et null si le filtre échoue.
En cas de succès retourne la variable filtré.
En cas d'échec false est retourné,
sauf si le drapeau FILTER_NULL_ON_FAILURE est utilisé,
dans ce cas là null est retourné.
Exemples
Exemple #1 Exemple avec filter_input()
<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "Vous avez recherché $search_html.\n";
echo "<a href='?search=$search_url'>Nouvelle recherche.</a>";
?>Résultat de l'exemple ci-dessus est similaire à :
Vous avez recherché Me & son. <a href='?search=Me%20%26%20son'>Nouvelle recherche.</a>
Voir aussi
- filter_input_array() - Récupère plusieurs valeurs externes et les filtre
- filter_var() - Filtre une variable avec un filtre spécifique
- filter_var_array() - Récupère plusieurs variables et les filtre
-
Les filtres de validation
FILTER_VALIDATE_* -
Les filtres de purification
FILTER_SANITIZE_*
+add a note
User Contributed Notes 9 notes
CertaiN ¶
11 years ago
anthony dot parsons at manx dot net ¶
18 years ago
FastCGI seems to cause strange side-effects with unexpected null values when using INPUT_SERVER and INPUT_ENV with this function. You can use this code to see if it affects your server:
<?php
var_dump($_SERVER);
foreach ( array_keys($_SERVER) as $b ) {
var_dump($b, filter_input(INPUT_SERVER, $b));
}
echo '<hr>';
var_dump($_ENV);
foreach ( array_keys($_ENV) as $b ) {
var_dump($b, filter_input(INPUT_ENV, $b));
}
?>
If you want to be on the safe side, using the superglobal $_SERVER and $_ENV variables will always work. You can still use the filter_* functions for Get/Post/Cookie without a problem, which is the important part!
rimelek at rimelek dot hu ¶
11 years ago
If your $_POST contains an array value:
<?php
$_POST = array(
'var' => array('more', 'than', 'one', 'values')
);
?>
you should use FILTER_REQUIRE_ARRAY option:
<?php
var_dump(filter_input(INPUT_POST, 'var', FILTER_DEFAULT , FILTER_REQUIRE_ARRAY));
?>
Otherwise it returns false.
ss23 at ss23 dot geek dot nz ¶
15 years ago
Note that this function doesn't (or at least doesn't seem to) actually filter based on the current values of $_GET etc. Instead, it seems to filter based off the original values.
<?php
$_GET['search'] = 'foo'; // This has no effect on the filter_input
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>
If you need to set a default input value and filter that, use filter_var on your required input variable instead
Stefan Weinzierl ¶
11 years ago
Here is an example how to work with the options-parameter. Notice the 'options' in the 'options'-Parameter!
<?php
$options=array('options'=>array('default'=>5, 'min_range'=>0, 'max_range'=>9));
$priority=filter_input(INPUT_GET, 'priority', FILTER_VALIDATE_INT, $options);
?>
$priority will be 5 if the priority-Parameter isn't set or out the given range.
chris at chlab dot ch ¶
13 years ago
To use a class method for a callback function, as usual, provide an array with an instance of the class and the method name.
Example:
<?php
class myValidator
{
public function username($value)
{
// return username or boolean false
}
}
$myValidator = new myValidator;
$options = array('options' => array($myValidator, 'username'));
$username = filter_input(INPUT_GET, 'username', FILTER_CALLBACK, $options);
var_dump($username);
?>
akshay dot leadindia at gmail dot com ¶
12 years ago
The beauty of using this instead of directly using filter_var( $_GET['search'] ) is that you don't need to check if( isset( $_GET['search'] ) ) as if you pass that to filter_var and the key is not set then it will result in a warning. This function simplifies this and will return the relevant result to you (as per your options set) if the key has not been set in the user input.
If the type of filter you are using also supports a 'default' argument then this function will also stuff your missing input key with that value, again saving your efforts
travismowens at gmail dot com ¶
15 years ago
I wouldn't recommend people use this function to store their data in a database. It's best not to encode data when storing it, it's better to store it raw and convert in upon the time of need.
One main reason for this is because if you have a short CHAR(16) field and the text contains encoded characters (quotes, ampersand) you can easily take a 12 character entry which obviously fits, but because of encoding it no longer fits.
Also, while not as common, if you need to use this data in another place, such as a non webpage (perhaps in a desktop app, or to a cell phone SMS or to a pager) the HTML encoded data will appear raw, and now you have to decode the data.
In summary, the best way to architect your system, is to store data as raw, and encode it only the moment you need to. So this means in your PHP upon doing a SQL query, instead of merely doing an echo $row['title'] you need to run htmlentities() on your echos, or better yet, an abstract function.
↑ and ↓ to navigate •
Enter to select •
Esc to close • / to open
Press Enter without
selection to search using Google