filter_var
(PHP 5 >= 5.2.0, PHP 7, PHP 8)
filter_var — 指定したフィルタでデータをフィルタリングする
パラメータ
value
-
フィルタリングする値。値をフィルタリングする前に、 内部的に 文字列への変換 が行われることに注意しましょう。
filter
-
適用するフィルタの ID。フィルタの型 に、利用できるフィルタの一覧があります。
省略した場合は
FILTER_DEFAULT
を使います。これはFILTER_UNSAFE_RAW
と同等です。 結果的に、デフォルトでは何もフィルタリングをしません。 options
-
オプションあるいはフラグの論理和の連想配列。 オプションを指定可能なフィルタの場合、この配列の "flags" フィールドにフラグを指定します。 "callback" フィルタの場合は、callable 型を渡さなければなりません。 コールバックは、フィルタリングする値を引数として受け取り、 処理後の値を返すようにしなければなりません。
<?php
// オプションを許可するフィルタは、このような形式となります
$options = array(
'options' => array(
'default' => 3, // フィルタが失敗した場合に返す値
// その他のオプションをここに書きます
'min_range' => 0
),
'flags' => FILTER_FLAG_ALLOW_OCTAL,
);
$var = filter_var('0755', FILTER_VALIDATE_INT, $options);
// フラグのみを許可するフィルタは、それを直接記述します
$var = filter_var('oops', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
// フラグのみを許可するフィルタは、配列として渡すこともできます
$var = filter_var('oops', FILTER_VALIDATE_BOOLEAN,
array('flags' => FILTER_NULL_ON_FAILURE));
// コールバック検証フィルタ
function foo($value)
{
// 期待する書式: Surname, GivenNames
if (strpos($value, ", ") === false) return false;
list($surname, $givennames) = explode(", ", $value, 2);
$empty = (empty($surname) || empty($givennames));
$notstrings = (!is_string($surname) || !is_string($givennames));
if ($empty || $notstrings) {
return false;
} else {
return $value;
}
}
$var = filter_var('Doe, Jane Sue', FILTER_CALLBACK, array('options' => 'foo'));
?>
戻り値
フィルタリングされたデータ、あるいは処理に失敗した場合に
false
を返します。
例
例1 filter_var() の例
<?php
var_dump(filter_var('bob@example.com', FILTER_VALIDATE_EMAIL));
var_dump(filter_var('http://example.com', FILTER_VALIDATE_URL, FILTER_FLAG_PATH_REQUIRED));
?>
上の例の出力は以下となります。
string(15) "bob@example.com" bool(false)
例2 配列をフィルタする例
<?php
$emails = [
"bob@example.com",
"test@example.local",
"invalidemail"
];
var_dump(filter_var($emails, FILTER_VALIDATE_EMAIL, FILTER_REQUIRE_ARRAY));
?>
上の例の出力は以下となります。
array(3) { [0]=> string(15) "bob@example.com" [1]=> string(18) "test@example.local" [2]=> bool(false) }
参考
- filter_var_array() - 複数の変数を受け取り、オプションでそれらをフィルタリングする
- filter_input() - 指定した名前の変数を外部から受け取り、オプションでそれをフィルタリングする
- filter_input_array() - 外部から変数を受け取り、オプションでそれらをフィルタリングする
- フィルタの型
+add a note
User Contributed Notes 30 notes
cabrinosimone at gmail dot com ¶
11 years ago
Pay attention that the function will not validate "not latin" domains.
if (filter_var('уникум@из.рф', FILTER_VALIDATE_EMAIL)) {
echo 'VALID';
} else {
echo 'NOT VALID';
}
Random Guy ¶
11 months ago
Actually, this is not really a helpful comment for a manual (so, don't upvote), but as search engines don't find a lot of occurrences for the error message and especially no helpful hint, it might save somebody some time.
If you're getting an error message like "filter_var(): Unknown filter with ID 2097152" or a different number, you just accidentally mixed up the parameters. So, instead of
<?php
filter_var($ip, FILTER_FLAG_IPV6)
?>
you should try it with
<?php
filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)
?>
and it will work ;) I know, this isn't the most intuitive form you can design a function and it's tempting to throw everything into one param as it is done for regular checks, but, yeah, it is how it is.
gt at kani dot hu ¶
11 years ago
I found some addresses that FILTER_VALIDATE_EMAIL rejects, but RFC5321 permits:
<?php
foreach (array(
'localpart.ending.with.dot.@example.com',
'(comment)localpart@example.com',
'"this is v@lid!"@example.com',
'"much.more unusual"@example.com',
'postbox@com',
'admin@mailserver1',
'"()<>[]:,;@\\"\\\\!#$%&\'*+-/=?^_`{}| ~.a"@example.org',
'" "@example.org',
) as $address) {
echo "<p>$address is <b>".(filter_var($address, FILTER_VALIDATE_EMAIL) ? '' : 'not')." valid</b></p>";
}
?>
Results:
localpart.ending.with.dot.@example.com is not valid
(comment)localpart@example.com is not valid
"this is v@lid!"@example.com is not valid
"much.more unusual"@example.com is not valid
postbox@com is not valid
admin@mailserver1 is not valid
"()<>[]:,;@\"\\!#$%&'*+-/=?^_`{}| ~.a"@example.org is not valid
" "@example.org is not valid
The documentation does not saying that FILTER_VALIDATE_EMAIL should pass the RFC5321, however you can meet with these examples (especially with the first one). So this is a note, not a bug report.
divinity76 at gmail dot com ¶
7 years ago
note that FILTER_VALIDATE_BOOLEAN tries to be smart, recognizing words like Yes, No, Off, On, both string and native types of true and false, and is not case-sensitive when validating strings.
<?php
$vals=array('on','On','ON','off','Off','OFF','yes','Yes','YES',
'no','No','NO',0,1,'0','1','true',
'True','TRUE','false','False','FALSE',true,false,'foo','bar');
foreach($vals as $val){
echo var_export($val,true).': '; var_dump(filter_var($val,FILTER_VALIDATE_BOOLEAN,FILTER_NULL_ON_FAILURE));
}
?>
outputs:
'on': bool(true)
'On': bool(true)
'ON': bool(true)
'off': bool(false)
'Off': bool(false)
'OFF': bool(false)
'yes': bool(true)
'Yes': bool(true)
'YES': bool(true)
'no': bool(false)
'No': bool(false)
'NO': bool(false)
0: bool(false)
1: bool(true)
'0': bool(false)
'1': bool(true)
'true': bool(true)
'True': bool(true)
'TRUE': bool(true)
'false': bool(false)
'False': bool(false)
'FALSE': bool(false)
true: bool(true)
false: bool(false)
'foo': NULL
'bar': NULL
Steve ¶
6 years ago
The note from "hek" about HTML5 having patterns thus alleviating the need to filter in PHP is completely wrong: You still must filter input on the server side. The HTML5 form inputs are client-side, meaning they are completely under the user's control. Only when you receive the data in PHP is it server-side and under your control. Once the data is under your control, then you must filter/sanitize it properly.
This is true regardless of server-side language. I would encourage the moderators to remove the note from "hek" because it will mislead people with horrible consequences.
Steve
Andi, info at pragmamx dot org ¶
12 years ago
And this is also a valid url
http://example.com/"><script>alert(document.cookie)</script>
Anonymous ¶
1 year ago
Pay attention:
questionmark in url is also valid
<?php
echo filter_var("http://test???test.com", FILTER_VALIDATE_URL)?"valid":"not valid"; #valid
?>
Anonymous ¶
9 years ago
FILTER_VALIDATE_URL allows:
filter_var('javascript://comment%0Aalert(1)', FILTER_VALIDATE_URL);
Where the %0A (URL encoded newline), in certain contexts, will split the comment from the JS code.
This can result in an XSS vulnerability.
mpyw628 at gmail dot com ¶
6 years ago
I wrote a JavaScript email validator fully compatible with PHP's filter_var() implementation.
mpyw/FILTER_VALIDATE_EMAIL.js: Email validation compatible with PHP's filter_var($value, FILTER_VALIDATE_EMAIL)
https://github.com/mpyw/FILTER_VALIDATE_EMAIL.js
Guy Sartorelli ¶
1 year ago
Note that filter_var() with FILTER_VALIDATE_URL uses RFC2396 which is obsolete. This means it treats some currently valid characters (such as "_") as being invalid.
In many cases it may be more beneficial to use php parse_url() which uses RFC3986 which is what is currently in effect.
dale dot liszka at gmail dot com ¶
16 years ago
Using the FILTER_CALLBACK requires an array to be passed as the options:
<?php
function toDash($x){
return str_replace("_","-",$x);
}
echo filter_var("asdf_123",FILTER_CALLBACK,array("options"=>"toDash"));
// returns 'asdf-123'
?>
marcus at synchromedia dot co dot uk ¶
12 years ago
It's very likely that you actually want to detect all reserved ranges, not just private IPs, and there's another constant for them that should be bitwise-OR'd with it.
<?php
function is_private_ip($ip) {
return !filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE);
}
?>
dale dot liszka at gmail dot com ¶
16 years ago
Here is how to use multiple flags (for those who learn better by example, like me):
<?php
echo "|asdf".chr(9).chr(128)."_123|";
echo "\n";
// "bitwise conjunction" means logic OR / bitwise |
echo filter_var("|asdf".chr(9).chr(128)."_123\n|" ,FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);
/*
Results:
|asdf �_123|
|asdf_123|
*/
?>
keevitaja at gmail dot com ¶
12 years ago
please note FILTER_VALIDATE_URL passes following url
http://example.ee/sdsf"f
crisp at tweakers dot net ¶
6 years ago
Note that only using FILTER_VALIDATE_URL to validate url's input may result in XSS:
$url = 'javascript://%0Aalert(document.cookie)';
if (filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED)) {
echo '<a href="' . $url . '">click</a>';
}
You should at least additionally check the actually used scheme.
jon dot bertsch at ucop dot edu ¶
15 years ago
Here's an actual example of the filter syntax with a flag since there doesn't appear to be a one liner for this anywhere:
'hours' => array('filter'=>FILTER_SANITIZE_NUMBER_FLOAT, 'flags' => FILTER_FLAG_ALLOW_FRACTION, 'options'=> '.')
remindfwd ¶
1 year ago
Please note that the following will return true, even if the URL is not correct. Because it validates only the domain, subdomain, path and query, not the protocol.
<?php
filter_var( 'http://https://example.com', FILTER_VALIDATE_URL );
?>
Please read more on https://www.php.net/manual/en/filter.filters.validate.php