Validating data is critical for web security. The PHP filter extension provides highly robust and native functions to both validate and sanitize external input (such as user form data).
The filter_var() function is the engine of the PHP filter extension. It both validates and sanitizes data depending on the filter flag you provide.
It takes two parameters:
The FILTER_SANITIZE_STRING filter removes all HTML tags from a string. If a user tries to input a script like <script>alert(1);</script>, this filter safely strips the tags.
<?php $str = "<h1>Hello World!</h1>";// Remove HTML tags from string $newstr = filter_var($str, FILTER_SANITIZE_STRING);
echo $newstr; // Outputs: Hello World! ?>
(Note: FILTER_SANITIZE_STRING has been deprecated in recent PHP 8+ versions in favor of htmlspecialchars(), but understanding the concept of sanitization filters is vital).
The FILTER_VALIDATE_INT filter checks if a variable is a valid integer.
<?php $int = 100;if (!filter_var($int, FILTER_VALIDATE_INT) === false) { echo "Integer is valid"; } else { echo "Integer is not valid"; } ?>
Which function is primarily used to apply validation and sanitization filters to a variable?