Home > Resources > Articles > Programming > PHP > Validating User Input Form Data

How to Validate User Input Form Data in PHP using filter_var()

If your website enables a visitor to submit information to you through web forms, you will want to check the data to ensure they are valid or accurate. This process is called data validation. In additional to ensuring accurate data, data validation can also help protect you from potentially malicious code embed in the data that can compromise your website or expose your private customer data stored in your database to cyber bad actors.

Feedback forms and order forms are common web forms where a website collects information from visitors. If you are using PHP in the development of your website, you have the easy-to-use filter_var() function to help you validate user data. This function is a server-side validation tool, meaning your user data has to be sent to your web server where the validation is performed. This function is available on PHP v5.2.0 or higher.

Table of Content


Overview of PHP filter_var() Function

Syntax: filter_var(var, filter, options)

Parameters:

  • variable - This is the data to filter. It is a required field.
  • filter - Used to specify the ID or name of the filter to use. Default is FILTER_DEFAULT, which results in no filtering. It is optional field.
  • options - Used to specify one or more options or flags to use.



How to Validate a URL

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_URL filter to check if the URL provided in the string is properly formatted. This function does not determine if a website exists for the URL provided.

<?php
$URL = "https://www.meridianoutpost.com";
if (filter_var($URL, FILTER_VALIDATE_URL)) {
	echo "This is a valid URL.";
} else {
	echo "This is not a valid URL.";
}
// Output: This is a valid URL.
?>


How to Sanitize a URL

The example PHP code below is using filter_var() function with the FILTER_SANITIZE_URL filter to remove illegal URL characters from the string. This function removes all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

<?php
$dirty_URL = "https://www.meridianoutpost≡◙.com";
$clean_URL = filter_var($dirty_URL, FILTER_SANITIZE_URL);
echo $clean_URL;

// Output: https://www.meridianoutpost.com
?>


How to Validate an Email Address

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_EMAIL filter to check if the data in the variable $email is a properly formatted email address . Please note this function only checks if the data is a properly formatting email address. It does not check to determine if the email address actually exists in some email server on the Internet.

<?php
$email = "username.domain.com";
if(filter_var($email, FILTER_VALIDATE_EMAIL)) {
	echo "This is a valid email address.";
} else {
	echo "This is not a valid email address.";
}
// Output: This is not a valid email address.
?>


How to Sanitize a String

The example PHP code below is using filter_var() function with the FILTER_SANITIZE_STRING filter to sanitize (clean) the string in the variable $dirty_string by removing (potentially malicious) tags .

<?php
$dirty_string = "Welcome <script> alert(\"Hello Visitor\")</script>";
$clean_string = filter_var($str, FILTER_SANITIZE_STRING);
echo $clean_string; 

// Output: Welcome alert("Hello Visitor")
?>



How to Validate an Integer

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_INT filter to check if the variable $int is an integer.

<?php
$int = 200;
if (filter_var($int, FILTER_VALIDATE_INT) === 0 ||
	!filter_var($int, FILTER_VALIDATE_INT) === false)
{
	echo ("Number is an integer."); 
} else {
	echo ("Number is not an integer."); 
}
// Output: Number is an integer.
?>


How to Validate a Floating Number (Decimal Number)

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_FLOAT filter to check if the variable $price is a floating number.

<?php
$price = 19.99;
if (filter_var($price, FILTER_VALIDATE_FLOAT)) {
	echo ("This is a valid floating/decimal number."); 
} else {
	echo ("This is not a valid floating/decimal number."); 
}
// Output: This is a valid floating/decimal number.
?>


How to Validate an IP Address

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_IP filter to check if the variable $ip_addy is an integer.

<?php
$ip_addy = "127.0.0.999";
if (!filter_var($ip_addy, FILTER_VALIDATE_IP) === false) {
	echo ("IP address is valid."); 
} else {
	echo ("IP address is not valid."); 
}
// Output: IP address is not valid
?>


How to Validate a MAC Address

The example PHP code below is using filter_var() function with the FILTER_VALIDATE_MAC filter to check if the variable $device_MAC contains a valid MAC address.

<?php
$device_MAC = "30-5A-3A-7F-17-A1";
if (filter_var($device_MAC, FILTER_VALIDATE_MAC)) {
	echo ("This is a valid MAC address."); 
} else {
	echo ("This is not a valid MAC address."); 
}
// Output: This is a valid MAC address
?>


External Reference

For more information on the PHP filter_var() function and the additional filters available, please see https://www.php.net/manual/en/function.filter-var.php



Suggested Reading

PHP Cookbook: Solutions & Examples

Amazon Reviewer:
Great help for someone thrown into the fray
(Amazon Affiliate Link)