Predefined Constants

The constants below are defined by this extension, and will only be available when the extension has either been compiled into PHP or dynamically loaded at runtime.

Input Constants

These constants are used by filter_input() and filter_input_array().

INPUT_POST (int)

POST variables.

INPUT_GET (int)

GET variables.

INPUT_COOKIE (int)

COOKIE variables.

INPUT_ENV (int)

ENV variables.

INPUT_SERVER (int)

SERVER variables.

INPUT_SESSION (int)

SESSION variables. (Removed as of PHP 8.0.0; was not implemented previously)

INPUT_REQUEST (int)

REQUEST variables. (Removed as of PHP 8.0.0; was not implemented previously)

Generic Filter Flags

FILTER_FLAG_NONE (int)

No flags.

FILTER_REQUIRE_SCALAR (int)

Flag used to require the input of the filter to be a scalar.

FILTER_REQUIRE_ARRAY (int)

Flag used to require the input of the filter to be an array.

FILTER_FORCE_ARRAY (int)

This flag wraps scalar inputs into a one element array for filters which operate on arrays.

FILTER_NULL_ON_FAILURE (int)

Use null instead of false on failure. Usable with any validation FILTER_VALIDATE_* filter.

Sanitization Filter Flags

FILTER_FLAG_STRIP_LOW (int)

Strip characters with ASCII value less than 32.

FILTER_FLAG_STRIP_HIGH (int)

Strip characters with ASCII value greater than 127.

FILTER_FLAG_STRIP_BACKTICK (int)

Strips backtick (`) characters.

FILTER_FLAG_ENCODE_LOW (int)

Encode characters with ASCII value less than 32.

FILTER_FLAG_ENCODE_HIGH (int)

Encode characters with ASCII value greater than 127.

FILTER_FLAG_ENCODE_AMP (int)

Encode &.

FILTER_FLAG_NO_ENCODE_QUOTES (int)

Singe and double quotes (' and ") will not be encoded.

FILTER_FLAG_EMPTY_STRING_NULL (int)

If sanitizing a string results in an empty string, convert the value to null

Validation Filters

FILTER_VALIDATE_BOOL (int)

Returns true for "1", 1 including binary, octal and hexadecimal notations, 1.0, "true", true, "on", and "yes". Returns false for "0", 0 including binary, octal and hexadecimal notations, 0.0, "false", false, "off", "no", and "". String values are compared case-insensitively. The return value for non-boolean values depends on the FILTER_NULL_ON_FAILURE. If it is set, null is returned, otherwise false is returned.

Available options

default

Value to return in case the filter fails.

Available as of PHP 8.0.0.

FILTER_VALIDATE_BOOLEAN (int)

Alias of FILTER_VALIDATE_BOOL. The alias was available prior to the introduction of its canonical name in PHP 8.0.0.

FILTER_VALIDATE_INT (int)

Validates whether the value is an integer, on success it is converted to type int.

Note: String values are trimmed using trim() before validation.

Available options

default

Value to return in case the filter fails.

min_range

Value is only valid if it is greater than or equal to the provided value.

max_range

Value is only valid if it is less than or equal to the provided value.

Optional Flags

FILTER_FLAG_ALLOW_OCTAL (int)

Allow integers in octal notation (0[0-7]+).

FILTER_FLAG_ALLOW_HEX (int)

Allow integers in hexadecimal notation (0x[0-9a-fA-F]+).

FILTER_VALIDATE_FLOAT (int)

Validates whether the value is a float, on success it is converted to type float.

Note: String values are trimmed using trim() before validation.

Available options

default

Value to return in case the filter fails.

decimal

min_range

Value is only valid if it is greater than or equal to the provided value. Available as of PHP 7.4.0.

max_range

Value is only valid if it is less than or equal to the provided value. Available as of PHP 7.4.0.

Optional Flags

FILTER_FLAG_ALLOW_THOUSAND (int)

Accept commas (,), which usually represent the thousand separator.

FILTER_VALIDATE_REGEXP (int)

Validates value against the regular expression provided by the regexp option.

Available options

default

Value to return in case the filter fails.

regexp

Perl-compatible regular expression.

FILTER_VALIDATE_URL (int)

Validates whether the URL is valid according to » RFC 2396.

Available options

default

Value to return in case the filter fails.

Optional Flags

FILTER_FLAG_SCHEME_REQUIRED (int)

Requires the URL to contain a scheme part.

Warning

DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0. This is because it is always implied by the FILTER_VALIDATE_URL filter.

FILTER_FLAG_HOST_REQUIRED (int)

Requires the URL to contain a host part.

Warning

DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0. This is because it is always implied by the FILTER_VALIDATE_URL filter.

FILTER_FLAG_PATH_REQUIRED (int)

Requires the URL to contain a path part.

FILTER_FLAG_QUERY_REQUIRED (int)

Requires the URL to contain a query part.

Warning

A valid URL may not specify the HTTP protocol (http://). Therefore, further validation may be required to determine if the URL uses an expected protocol, e.g. ssh:// or mailto:.

Warning

This filter only works on ASCII URLs. This means that Internationalized Domain Names (IDN) will always be rejected.

FILTER_VALIDATE_DOMAIN (int)

Validates whether the domain name is valid according to » RFC 952, » RFC 1034, » RFC 1035, » RFC 1123, » RFC 2732, and » RFC 2181.

Available options

default

Value to return in case the filter fails.

Optional Flags

FILTER_FLAG_HOSTNAME (int)

Require hostnames to start with an alphanumeric character and contain only alphanumerics or hyphens.

FILTER_VALIDATE_EMAIL (int)

Validates whether the value is a "valid" e-mail address. The validation is performed against the addr-spec syntax in » RFC 822. However, comments, whitespace folding, and dotless domain names are not supported, and thus will be rejected.

Available options

default

Value to return in case the filter fails.

Optional Flags

FILTER_FLAG_EMAIL_UNICODE (int)

Accepts Unicode characters in the local part. Available as of PHP 7.1.0.

Warning

Email validation is complex and the only true way to confirm an email is valid and exists is to send an email to the address.

FILTER_VALIDATE_IP (int)

Validates value as IP address.

Available options

default

Value to return in case the filter fails.

Optional Flags

FILTER_FLAG_IPV4 (int)

Allow IPv4 address.

FILTER_FLAG_IPV6 (int)

Allow IPv6 address.

FILTER_FLAG_NO_RES_RANGE (int)

Deny reserved addresses. These are the ranges that are marked as Reserved-By-Protocol in » RFC 6890.

Which for IPv4 corresponds to the following ranges: 0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 240.0.0.0/4.

And for IPv6 corresponds to the following ranges: ::1/128, ::/128, ::FFFF:0:0/96, FE80::/10.

FILTER_FLAG_NO_PRIV_RANGE (int)

Deny private addresses.

These are IPv4 addresses which are in the following ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.

These are IPv6 addresses starting with FD or FC.

FILTER_FLAG_GLOBAL_RANGE (int)

Only allow global addresses. These can be found in » RFC 6890 where the Global attribute is True. Available as of PHP 8.2.0.

FILTER_VALIDATE_MAC (int)

Validates whether the value is a MAC address.

Available options

default

Value to return in case the filter fails.

Sanitizing Filters

FILTER_UNSAFE_RAW (int)

This filter does nothing. However, it can strip or encode special characters if used together with the FILTER_FLAG_STRIP_* and FILTER_FLAG_ENCODE_* filter sanitization flags.

FILTER_DEFAULT (int)

Alias of FILTER_UNSAFE_RAW.

FILTER_SANITIZE_STRING (int)

This filter strips tags and HTML-encodes double and single quotes. Optionally it can strip or encode specified characters if used together with the FILTER_FLAG_STRIP_* and FILTER_FLAG_ENCODE_* filter sanitization flags. The behaviour of encoding quotes can be disabled by using the FILTER_FLAG_NO_ENCODE_QUOTES filter flag.

Warning

Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.

Warning

The way this filter strips tags is not equivalent to strip_tags().

FILTER_SANITIZE_STRIPPED (int)

Alias of FILTER_SANITIZE_STRING.

Warning

Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.

FILTER_SANITIZE_ENCODED (int)

This filter URL-encodes a string. Optionally it can strip or encode specified characters if used together with the FILTER_FLAG_STRIP_* and FILTER_FLAG_ENCODE_* filter sanitization flags.

FILTER_SANITIZE_SPECIAL_CHARS (int)

This filter HTML-encodes ', ", <, >, & and characters with an ASCII value less than 32. Unlike the FILTER_SANITIZE_FULL_SPECIAL_CHARS filter, the FILTER_SANITIZE_SPECIAL_CHARS filter ignores the FILTER_FLAG_NO_ENCODE_QUOTES flag.

Optionally it can strip specified characters if used together with the FILTER_FLAG_STRIP_* filter sanitization flags, and it can encode characters with ASCII value greater than 127 using FILTER_FLAG_ENCODE_HIGH.

FILTER_SANITIZE_FULL_SPECIAL_CHARS (int)

This filter is equivalent to calling htmlspecialchars() with ENT_QUOTES set. The behaviour of encoding quotes can be disabled by using the FILTER_FLAG_NO_ENCODE_QUOTES filter flag.

Warning

Like htmlspecialchars(), this filter is aware of the default_charset INI setting. If a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a empty string being returned.

FILTER_SANITIZE_EMAIL (int)

Sanitize the string by removing all characters except latin letters ([a-zA-Z]), digits ([0-9]), and the special characters !#$%&'*+-=?^_`{|}~@.[].

FILTER_SANITIZE_URL (int)

Sanitize the string by removing all characters except latin letters ([a-zA-Z]), digits ([0-9]), and the special characters $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

FILTER_SANITIZE_NUMBER_INT (int)

Sanitize the string by removing all characters except digits ([0-9]), plus sign (+), and minus sign (-).

FILTER_SANITIZE_NUMBER_FLOAT (int)

Sanitize the string by removing all characters except digits ([0-9]), plus sign (+), and minus sign (-).

Optional Flags

FILTER_FLAG_ALLOW_FRACTION (int)

Accept dot (.) character, which usually represents the separator between the integer and fractional parts.

FILTER_FLAG_ALLOW_THOUSAND (int)

Accept commas (,) character, which usually represents the thousand separator.

FILTER_FLAG_ALLOW_SCIENTIFIC (int)

Accept numbers in scientific notation by allowing the e and E characters.

Warning

If the FILTER_FLAG_ALLOW_FRACTION flag is not used, then the decimal separator is removed, altering the value received.

<?php
$number = '12.34';

var_dump(filter_var($number, FILTER_SANITIZE_NUMBER_FLOAT));
var_dump(filter_var($number, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION));
?>

The above example will output:

string(4) "1234"
string(5) "12.34"

FILTER_SANITIZE_ADD_SLASHES (int)

Apply addslashes() to the input. Available as of PHP 7.3.0.

FILTER_SANITIZE_MAGIC_QUOTES (int)

Alias of FILTER_SANITIZE_ADD_SLASHES.

Warning

DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0.

User Defined Filter

FILTER_CALLBACK (int)

This filter delegates the filtering to a user defined function. The callable is passed via the options parameter as the value associated to the 'options' key.

The callback should have the following signature:

callback(string $value): mixed

value

The value that is being filtered.

Note: The value returned by the callback will be the value returned by the invoked filter function.

Example #1 Example of using FILTER_CALLBACK to validate a login name

<?php
function validate_login(string $value): ?string
{
if (strlen($value) >= 5 && ctype_alnum($value)) {
return $value;
}
return null;
}

$login = "val1dL0gin";
$filtered_login = filter_var($login, FILTER_CALLBACK, ['options' => 'validate_login']);
var_dump($filtered_login);

$login = "f&ke login";
$filtered_login = filter_var($login, FILTER_CALLBACK, ['options' => 'validate_login']);
var_dump($filtered_login);
?>

The above example will output:

string(10) "val1dL0gin"
NULL

Warning

This filter cannot be used with any other filter flags, e.g. FILTER_NULL_ON_FAILURE.