The constants below are defined by this extension, and will only be available when the extension has either been compiled into PHP or dynamically loaded at runtime.
These constants are used by filter_input() and filter_input_array().
INPUT_POST
(int)
INPUT_GET
(int)
INPUT_ENV
(int)
INPUT_SERVER
(int)
INPUT_SESSION
(int)
INPUT_REQUEST
(int)
FILTER_FLAG_NONE
(int)
FILTER_REQUIRE_SCALAR
(int)
FILTER_REQUIRE_ARRAY
(int)
FILTER_FORCE_ARRAY
(int)
FILTER_NULL_ON_FAILURE
(int)
null instead of false on failure.
Usable with any validation
FILTER_VALIDATE_*
filter.
FILTER_FLAG_STRIP_LOW
(int)
FILTER_FLAG_STRIP_HIGH
(int)
FILTER_FLAG_STRIP_BACKTICK
(int)
`) characters.
FILTER_FLAG_ENCODE_LOW
(int)
FILTER_FLAG_ENCODE_HIGH
(int)
FILTER_FLAG_ENCODE_AMP
(int)
&.
FILTER_FLAG_NO_ENCODE_QUOTES
(int)
' and ")
will not be encoded.
FILTER_FLAG_EMPTY_STRING_NULL
(int)
null
FILTER_VALIDATE_BOOL
(int)
true for "1",
"true",
"on",
and "yes".
Returns false for "0",
"false",
"off",
"no", and
"".
The return value for non-boolean values depends on the
FILTER_NULL_ON_FAILURE.
If it is set, null is returned, otherwise false is returned.
defaultFILTER_VALIDATE_BOOLEAN
(int)
FILTER_VALIDATE_BOOL.
The alias was available prior to the introduction of its canonical
name in PHP 8.0.0.
FILTER_VALIDATE_INT
(int)
Note: String values are trimmed using trim() before validation.
defaultmin_rangemax_rangeFILTER_FLAG_ALLOW_OCTAL
(int)
0[0-7]+).
FILTER_FLAG_ALLOW_HEX
(int)
0x[0-9a-fA-F]+).
FILTER_VALIDATE_FLOAT
(int)
Note: String values are trimmed using trim() before validation.
defaultdecimalmin_rangemax_rangeFILTER_FLAG_ALLOW_THOUSAND
(int)
,),
which usually represent the thousand separator.
FILTER_VALIDATE_REGEXP
(int)
regexp option.
defaultregexpFILTER_VALIDATE_URL
(int)
defaultFILTER_FLAG_SCHEME_REQUIRED
(int)
DEPRECATED as of PHP 7.3.0 and
REMOVED as of PHP 8.0.0.
This is because it is always implied by the
FILTER_VALIDATE_URL filter.
FILTER_FLAG_HOST_REQUIRED
(int)
DEPRECATED as of PHP 7.3.0 and
REMOVED as of PHP 8.0.0.
This is because it is always implied by the
FILTER_VALIDATE_URL filter.
FILTER_FLAG_PATH_REQUIRED
(int)
FILTER_FLAG_QUERY_REQUIRED
(int)
A valid URL may not specify the
HTTP protocol (http://).
Therefore, further validation may be required to determine if the
URL uses an expected protocol,
e.g. ssh:// or mailto:.
This filter only works on ASCII URLs. This means that Internationalized Domain Names (IDN) will always be rejected.
FILTER_VALIDATE_DOMAIN
(int)
defaultFILTER_FLAG_HOSTNAME
(int)
FILTER_VALIDATE_EMAIL
(int)
addr-spec
syntax in
» RFC 822.
However, comments, whitespace folding, and dotless domain names
are not supported, and thus will be rejected.
defaultFILTER_FLAG_EMAIL_UNICODE
(int)
Email validation is complex and the only true way to confirm an email is valid and exists is to send an email to the address.
FILTER_VALIDATE_IP
(int)
Validates value as IP address.
defaultFILTER_FLAG_IPV4
(int)
FILTER_FLAG_IPV6
(int)
FILTER_FLAG_NO_RES_RANGE
(int)
Reserved-By-Protocol in
» RFC 6890.
Which for IPv4 corresponds to the following ranges:
0.0.0.0/8, 169.254.0.0/16, 127.0.0.0/8, 240.0.0.0/4.
And for IPv6 corresponds to the following ranges:
::1/128, ::/128, ::FFFF:0:0/96, FE80::/10.
FILTER_FLAG_NO_PRIV_RANGE
(int)
These are IPv4 addresses which are in the following ranges:
10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.
FD or FC.
FILTER_FLAG_GLOBAL_RANGE
(int)
Global attribute is True.
Available as of PHP 8.2.0.
FILTER_VALIDATE_MAC
(int)
defaultFILTER_UNSAFE_RAW
(int)
FILTER_FLAG_STRIP_*
and FILTER_FLAG_ENCODE_*
filter sanitization flags.
FILTER_DEFAULT
(int)
FILTER_UNSAFE_RAW.
FILTER_SANITIZE_STRING
(int)
FILTER_FLAG_STRIP_*
and FILTER_FLAG_ENCODE_*
filter sanitization flags.
The behaviour of encoding quotes can be disabled by using the
FILTER_FLAG_NO_ENCODE_QUOTES filter flag.
Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.
The way this filter strips tags is not equivalent to strip_tags().
FILTER_SANITIZE_STRIPPED
(int)
FILTER_SANITIZE_STRING.
Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.
FILTER_SANITIZE_ENCODED
(int)
FILTER_FLAG_STRIP_*
and FILTER_FLAG_ENCODE_*
filter sanitization flags.
FILTER_SANITIZE_SPECIAL_CHARS
(int)
This filter HTML-encodes
', ", <, >, &
and characters with an ASCII value less than 32.
FILTER_FLAG_STRIP_*
filter sanitization flags, and it can encode characters with ASCII value
greater than 127 using FILTER_FLAG_ENCODE_HIGH.
FILTER_SANITIZE_FULL_SPECIAL_CHARS
(int)
ENT_QUOTES set.
The behaviour of encoding quotes can be disabled by using the
FILTER_FLAG_NO_ENCODE_QUOTES filter flag.
Like htmlspecialchars(), this filter is aware of the default_charset INI setting. If a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a empty string being returned.
FILTER_SANITIZE_EMAIL
(int)
[a-zA-Z]),
digits ([0-9]),
and the special characters
!#$%&'*+-=?^_`{|}~@.[].
FILTER_SANITIZE_URL
(int)
[a-zA-Z]),
digits ([0-9]),
and the special characters
$-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
FILTER_SANITIZE_NUMBER_INT
(int)
[0-9]), plus sign (+),
and minus sign (-).
FILTER_SANITIZE_NUMBER_FLOAT
(int)
[0-9]), plus sign (+),
and minus sign (-).
FILTER_FLAG_ALLOW_FRACTION
(int)
.) character,
which usually represents the separator between the integer and
fractional parts.
FILTER_FLAG_ALLOW_THOUSAND
(int)
,) character,
which usually represents the thousand separator.
FILTER_FLAG_ALLOW_SCIENTIFIC
(int)
e and E characters.
If the FILTER_FLAG_ALLOW_FRACTION flag is not used,
then the decimal separator is removed, altering the value received.
<?php
$number = '12.34';
var_dump(filter_var($number, FILTER_SANITIZE_NUMBER_FLOAT));
var_dump(filter_var($number, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION));
?>The above example will output:
string(4) "1234" string(5) "12.34"
FILTER_SANITIZE_ADD_SLASHES
(int)
FILTER_SANITIZE_MAGIC_QUOTES
(int)
FILTER_SANITIZE_ADD_SLASHES.
DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0.
FILTER_CALLBACK
(int)
options parameter as the value associated to
the 'options' key.
The callback should have the following signature:
valueNote: The value returned by the callback will be the value returned by the invoked filter function.
Example #1
Example of using FILTER_CALLBACK to validate
a login name
<?php
function validate_login($value): ?string
{
if (strlen($value) >= 5 && ctype_alnum($value)) {
return $value;
}
return null;
}
$login = "val1dL0gin";
$filtered_login = filter_var($login, FILTER_CALLBACK, ['options' => 'validate_login']);
var_dump($filtered_login);
$login = "f&ke login";
$filtered_login = filter_var($login, FILTER_CALLBACK, ['options' => 'validate_login']);
var_dump($filtered_login);
?>The above example will output:
string(10) "val1dL0gin" NULL
This filter cannot be used with any other filter flags, e.g.
FILTER_NULL_ON_FAILURE.