PHP Function Reference

PHP - Filter

The filter extension provides tool to filter data by either validating or sanitizing it. This is especially useful when the data source contains unknown (or foreign) data, like user supplied input in a HTML form.

There are two main types of filtering: validation and sanitization.

Validation is used to validate if the data meets certain qualifications. For example, passing in FILTER_VALIDATE_EMAIL will determine if the data is a valid email address. But this will not change the data itself.

Sanitization will sanitize the data and may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. But this will not validate the data.

Flags are optionally used with both validation and sanitization to tweak behavior according to need. For example, passing in FILTER_FLAG_PATH_REQUIRED while filtering an URL will require a path to be present.


The filter extension is enabled by default. To disable the filter extension, use --disable-filter.

There is no installation needed to use these functions. These functions are part of the PHP core.

Runtime Configuration

The behavior of these functions is affected by settings in php.ini.

Filter Configuration Options

filter.default"unsafe_raw"Filter all $_GET, $_POST, $_COOKIE, $_REQUEST and $_SERVER data by this filter. Original data can be accessed through filter_input(). Accepts the name of the filter you like to use by default. See the existing filter list for the list of the filter names.PHP_INI_PERDIR
filter.default_flagsNULLDefault flags to apply when the default filter is set. This is set to FILTER_FLAG_NO_ENCODE_QUOTES by default for backwards compatibility reasons.PHP_INI_PERDIR

Types of filters

PHP Filter Functions

filter_has_var() Checks if variable of specified type exists.
filter_id() Returns the filter ID belonging to a named filter.
filter_input() Gets a specific external variable by name and optionally filters it.
filter_input_array() Gets external variables and optionally filters them.
filter_list() Returns a list of all supported filters.
filter_var_array() Gets multiple variables and optionally filters them.
filter_var() Filters a variable with a specified filter.

PHP Filter Predefined Constants

The constants below are defined by this extension, and will only be available when the extension has either been compiled into PHP or dynamically loaded at runtime.

INPUT_POSTIntegerPOST variables.
INPUT_GETIntegerGET variables.
INPUT_COOKIEIntegerCOOKIE variables.
INPUT_ENVIntegerENV variables.
INPUT_SERVERIntegerSERVER variables.
INPUT_SESSIONIntegerSESSION variables. (not implemented yet)
INPUT_REQUESTIntegerREQUEST variables. (not implemented yet)
FILTER_FLAG_NONEIntegerNo flags.
FILTER_REQUIRE_SCALARIntegerFlag used to require scalar as input
FILTER_REQUIRE_ARRAYIntegerRequire an array as input.
FILTER_FORCE_ARRAYIntegerAlways returns an array.
FILTER_NULL_ON_FAILUREIntegerUse NULL instead of FALSE on failure.
FILTER_VALIDATE_INTIntegerID of "int" filter.
FILTER_VALIDATE_BOOLEANIntegerID of "boolean" filter.
FILTER_VALIDATE_FLOATIntegerID of "float" filter.
FILTER_VALIDATE_REGEXPIntegerID of "validate_regexp" filter.
FILTER_VALIDATE_URLIntegerID of "validate_url" filter.
FILTER_VALIDATE_DOMAINIntegerID of "validate_domain" filter. (Available as of PHP 7.0.0)
FILTER_VALIDATE_EMAILIntegerID of "validate_email" filter.
FILTER_VALIDATE_IPIntegerID of "validate_ip" filter.
FILTER_VALIDATE_MACIntegerID of "validate_mac_address" filter.
FILTER_DEFAULTIntegerID of default ("unsafe_raw") filter. This is equivalent to FILTER_UNSAFE_RAW.
FILTER_UNSAFE_RAWIntegerID of "unsafe_raw" filter.
FILTER_SANITIZE_STRINGIntegerID of "string" filter.
FILTER_SANITIZE_STRIPPEDIntegerID of "stripped" filter.
FILTER_SANITIZE_ENCODEDIntegerID of "encoded" filter.
FILTER_SANITIZE_SPECIAL_CHARSIntegerID of "special_chars" filter.
FILTER_SANITIZE_EMAILIntegerID of "email" filter.
FILTER_SANITIZE_URLIntegerID of "url" filter.
FILTER_SANITIZE_NUMBER_INTIntegerID of "number_int" filter.
FILTER_SANITIZE_NUMBER_FLOATIntegerID of "number_float" filter.
FILTER_SANITIZE_MAGIC_QUOTESIntegerID of "magic_quotes" filter. (DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0, use FILTER_SANITIZE_ADD_SLASHES instead.)
FILTER_SANITIZE_ADD_SLASHESIntegerID of "add_slashes" filter. (Available as of PHP 7.3.0)
FILTER_CALLBACKIntegerID of "callback" filter.
FILTER_FLAG_ALLOW_OCTALIntegerAllow octal notation (0[0-7]+) in "int" filter.
FILTER_FLAG_ALLOW_HEXIntegerAllow hex notation (0x[0-9a-fA-F]+) in "int" filter.
FILTER_FLAG_STRIP_LOWIntegerStrip characters with ASCII value less than 32.
FILTER_FLAG_STRIP_HIGHIntegerStrip characters with ASCII value greater than 127.
FILTER_FLAG_STRIP_BACKTICKIntegerStrips backtick characters.
FILTER_FLAG_ENCODE_LOWIntegerEncode characters with ASCII value less than 32.
FILTER_FLAG_ENCODE_HIGHIntegerEncode characters with ASCII value greater than 127.
FILTER_FLAG_NO_ENCODE_QUOTESIntegerDon't encode ' and ".
FILTER_FLAG_ALLOW_FRACTIONIntegerAllow fractional part in "number_float" filter.
FILTER_FLAG_ALLOW_THOUSANDIntegerAllow thousand separator (,) in "number_float" filter.
FILTER_FLAG_ALLOW_SCIENTIFICIntegerAllow scientific notation (e, E) in "number_float" filter.
FILTER_FLAG_PATH_REQUIREDIntegerRequire path in "validate_url" filter.
FILTER_FLAG_QUERY_REQUIREDIntegerRequire query in "validate_url" filter.
FILTER_FLAG_SCHEME_REQUIREDIntegerRequire scheme in "validate_url" filter. (Deprecated per PHP 7.3 as it is implied in the filter already.)
FILTER_FLAG_HOST_REQUIREDIntegerRequire host in "validate_url" filter. (Deprecated per PHP 7.3 as it is implied in the filter already.)
FILTER_FLAG_HOSTNAMEIntegerRequire hostnames to start with an alphanumeric character and contain only alphanumeric characters or hyphens. (Available as of PHP 7.0.0)
FILTER_FLAG_IPV4IntegerAllow only IPv4 address in "validate_ip" filter.
FILTER_FLAG_IPV6IntegerAllow only IPv6 address in "validate_ip" filter.
FILTER_FLAG_NO_RES_RANGEIntegerDeny reserved addresses in "validate_ip" filter.
FILTER_FLAG_NO_PRIV_RANGEIntegerDeny private addresses in "validate_ip" filter.
FILTER_FLAG_EMAIL_UNICODEIntegerAccepts Unicode characters in the local part in "validate_email" filter. (Available as of PHP 7.1.0)