PHPのお勉強!

PHP TOP

filter_var

(PHP 5 >= 5.2.0, PHP 7, PHP 8)

filter_var指定したフィルタでデータをフィルタリングする

説明

filter_var(mixed $value, int $filter = FILTER_DEFAULT, array|int $options = 0): mixed

パラメータ

value

フィルタリングする値。値をフィルタリングする前に、 内部的に 文字列への変換 が行われることに注意しましょう。

filter

適用するフィルタの ID。フィルタの型 に、利用できるフィルタの一覧があります。

省略した場合は FILTER_DEFAULT を使います。これは FILTER_UNSAFE_RAW と同等です。 結果的に、デフォルトでは何もフィルタリングをしません。

options

オプションあるいはフラグの論理和の連想配列。 オプションを指定可能なフィルタの場合、この配列の "flags" フィールドにフラグを指定します。 "callback" フィルタの場合は、callable 型を渡さなければなりません。 コールバックは、フィルタリングする値を引数として受け取り、 処理後の値を返すようにしなければなりません。

<?php
// オプションを許可するフィルタは、このような形式となります
$options = array(
'options' => array(
'default' => 3, // フィルタが失敗した場合に返す値
// その他のオプションをここに書きます
'min_range' => 0
),
'flags' => FILTER_FLAG_ALLOW_OCTAL,
);
$var = filter_var('0755', FILTER_VALIDATE_INT, $options);

// フラグのみを許可するフィルタは、それを直接記述します
$var = filter_var('oops', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);

// フラグのみを許可するフィルタは、配列として渡すこともできます
$var = filter_var('oops', FILTER_VALIDATE_BOOLEAN,
array(
'flags' => FILTER_NULL_ON_FAILURE));

// コールバック検証フィルタ
function foo($value)
{
// 期待する書式: Surname, GivenNames
if (strpos($value, ", ") === false) return false;
list(
$surname, $givennames) = explode(", ", $value, 2);
$empty = (empty($surname) || empty($givennames));
$notstrings = (!is_string($surname) || !is_string($givennames));
if (
$empty || $notstrings) {
return
false;
} else {
return
$value;
}
}
$var = filter_var('Doe, Jane Sue', FILTER_CALLBACK, array('options' => 'foo'));
?>

戻り値

フィルタリングされたデータ、あるいは処理に失敗した場合に false を返します。

例1 filter_var() の例

<?php
var_dump
(filter_var('bob@example.com', FILTER_VALIDATE_EMAIL));
var_dump(filter_var('http://example.com', FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED));
?>

上の例の出力は以下となります。

string(15) "bob@example.com"
bool(false)

例2 配列をフィルタする例

<?php
$emails
= [
"bob@example.com",
"test@example.local",
"invalidemail"
];

var_dump(filter_var($emails, FILTER_VALIDATE_EMAIL, FILTER_REQUIRE_ARRAY));
?>

上の例の出力は以下となります。

array(3) {
  [0]=>
  string(15) "bob@example.com"
  [1]=>
  string(18) "test@example.local"
  [2]=>
  bool(false)
}

参考

  • filter_var_array() - 複数の変数を受け取り、オプションでそれらをフィルタリングする
  • filter_input() - 指定した名前の変数を外部から受け取り、オプションでそれをフィルタリングする
  • filter_input_array() - 外部から変数を受け取り、オプションでそれらをフィルタリングする
  • フィルタの型

add a note

User Contributed Notes 30 notes

up
172
cabrinosimone at gmail dot com
11 years ago
Pay attention that the function will not validate "not latin" domains.

if (filter_var('уникум@из.рф', FILTER_VALIDATE_EMAIL)) {
echo 'VALID';
} else {
echo 'NOT VALID';
}
up
8
Random Guy
11 months ago
Actually, this is not really a helpful comment for a manual (so, don't upvote), but as search engines don't find a lot of occurrences for the error message and especially no helpful hint, it might save somebody some time.

If you're getting an error message like "filter_var(): Unknown filter with ID 2097152" or a different number, you just accidentally mixed up the parameters. So, instead of

<?php
filter_var
($ip, FILTER_FLAG_IPV6)
?>

you should try it with

<?php
filter_var
($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)
?>

and it will work ;) I know, this isn't the most intuitive form you can design a function and it's tempting to throw everything into one param as it is done for regular checks, but, yeah, it is how it is.
up
101
gt at kani dot hu
11 years ago
I found some addresses that FILTER_VALIDATE_EMAIL rejects, but RFC5321 permits:
<?php
foreach (array(
'localpart.ending.with.dot.@example.com',
'(comment)localpart@example.com',
'"this is v@lid!"@example.com',
'"much.more unusual"@example.com',
'postbox@com',
'admin@mailserver1',
'"()<>[]:,;@\\"\\\\!#$%&\'*+-/=?^_`{}| ~.a"@example.org',
'" "@example.org',
) as
$address) {
echo
"<p>$address is <b>".(filter_var($address, FILTER_VALIDATE_EMAIL) ? '' : 'not')." valid</b></p>";
}
?>
Results:

localpart.ending.with.dot.@example.com is not valid
(comment)localpart@example.com is not valid
"this is v@lid!"@example.com is not valid
"much.more unusual"@example.com is not valid
postbox@com is not valid
admin@mailserver1 is not valid
"()<>[]:,;@\"\\!#$%&'*+-/=?^_`{}| ~.a"@example.org is not valid
" "@example.org is not valid

The documentation does not saying that FILTER_VALIDATE_EMAIL should pass the RFC5321, however you can meet with these examples (especially with the first one). So this is a note, not a bug report.
up
61
divinity76 at gmail dot com
7 years ago
note that FILTER_VALIDATE_BOOLEAN tries to be smart, recognizing words like Yes, No, Off, On, both string and native types of true and false, and is not case-sensitive when validating strings.

<?php
$vals
=array('on','On','ON','off','Off','OFF','yes','Yes','YES',
'no','No','NO',0,1,'0','1','true',
'True','TRUE','false','False','FALSE',true,false,'foo','bar');
foreach(
$vals as $val){
echo
var_export($val,true).': '; var_dump(filter_var($val,FILTER_VALIDATE_BOOLEAN,FILTER_NULL_ON_FAILURE));
}
?>

outputs:
'on': bool(true)
'On': bool(true)
'ON': bool(true)
'off': bool(false)
'Off': bool(false)
'OFF': bool(false)
'yes': bool(true)
'Yes': bool(true)
'YES': bool(true)
'no': bool(false)
'No': bool(false)
'NO': bool(false)
0: bool(false)
1: bool(true)
'0': bool(false)
'1': bool(true)
'true': bool(true)
'True': bool(true)
'TRUE': bool(true)
'false': bool(false)
'False': bool(false)
'FALSE': bool(false)
true: bool(true)
false: bool(false)
'foo': NULL
'bar': NULL
up
22
Steve
6 years ago
The note from "hek" about HTML5 having patterns thus alleviating the need to filter in PHP is completely wrong: You still must filter input on the server side. The HTML5 form inputs are client-side, meaning they are completely under the user's control. Only when you receive the data in PHP is it server-side and under your control. Once the data is under your control, then you must filter/sanitize it properly.

This is true regardless of server-side language. I would encourage the moderators to remove the note from "hek" because it will mislead people with horrible consequences.

Steve
up
58
Andi, info at pragmamx dot org
12 years ago
And this is also a valid url

http://example.com/"><script>alert(document.cookie)</script>
up
1
Anonymous
1 year ago
Pay attention:
questionmark in url is also valid

<?php
echo filter_var("http://test???test.com", FILTER_VALIDATE_URL)?"valid":"not valid"; #valid
?>
up
17
Anonymous
9 years ago
FILTER_VALIDATE_URL allows:

filter_var('javascript://comment%0Aalert(1)', FILTER_VALIDATE_URL);

Where the %0A (URL encoded newline), in certain contexts, will split the comment from the JS code.

This can result in an XSS vulnerability.
up
6
mpyw628 at gmail dot com
6 years ago
I wrote a JavaScript email validator fully compatible with PHP's filter_var() implementation.

mpyw/FILTER_VALIDATE_EMAIL.js: Email validation compatible with PHP's filter_var($value, FILTER_VALIDATE_EMAIL)
https://github.com/mpyw/FILTER_VALIDATE_EMAIL.js
up
1
Guy Sartorelli
1 year ago
Note that filter_var() with FILTER_VALIDATE_URL uses RFC2396 which is obsolete. This means it treats some currently valid characters (such as "_") as being invalid.

In many cases it may be more beneficial to use php parse_url() which uses RFC3986 which is what is currently in effect.
up
6
dale dot liszka at gmail dot com
16 years ago
Using the FILTER_CALLBACK requires an array to be passed as the options:

<?php
function toDash($x){
return
str_replace("_","-",$x);
}

echo
filter_var("asdf_123",FILTER_CALLBACK,array("options"=>"toDash"));
// returns 'asdf-123'
?>
up
7
marcus at synchromedia dot co dot uk
12 years ago
It's very likely that you actually want to detect all reserved ranges, not just private IPs, and there's another constant for them that should be bitwise-OR'd with it.
<?php
function is_private_ip($ip) {
return !
filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);
}
?>
up
8
dale dot liszka at gmail dot com
16 years ago
Here is how to use multiple flags (for those who learn better by example, like me):

<?php
echo "|asdf".chr(9).chr(128)."_123|";
echo
"\n";
// "bitwise conjunction" means logic OR / bitwise |
echo filter_var("|asdf".chr(9).chr(128)."_123\n|" ,FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);

/*
Results:
|asdf �_123|
|asdf_123|
*/
?>
up
7
keevitaja at gmail dot com
12 years ago
please note FILTER_VALIDATE_URL passes following url

http://example.ee/sdsf"f
up
1
crisp at tweakers dot net
6 years ago
Note that only using FILTER_VALIDATE_URL to validate url's input may result in XSS:

$url = 'javascript://%0Aalert(document.cookie)';

if (filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED)) {
echo '<a href="' . $url . '">click</a>';
}

You should at least additionally check the actually used scheme.
up
3
jon dot bertsch at ucop dot edu
15 years ago
Here's an actual example of the filter syntax with a flag since there doesn't appear to be a one liner for this anywhere:

'hours' => array('filter'=>FILTER_SANITIZE_NUMBER_FLOAT, 'flags' => FILTER_FLAG_ALLOW_FRACTION, 'options'=> '.')
up
2
remindfwd
1 year ago
Please note that the following will return true, even if the URL is not correct. Because it validates only the domain, subdomain, path and query, not the protocol.

<?php
filter_var
( 'http://https://example.com', FILTER_VALIDATE_URL );
?>

Please read more on https://www.php.net/manual/en/filter.filters.validate.php
up