Zend PHP 5 Certification Study Guide (2014)

Appendix B: Filter Extension Filters and Flags

The filter extension defines 3 types of filters, validation, sanitization, and callback. Additionally, there are a number of flags that change the way these filters are applied.

Validation Filters

Constant

Name

Options

Flags

Description

FILTER_VALIDATE_BOOLEAN

boolean

default

FILTER_NULL_ON_FAILURE

Validates value as being boolean-like. - Returns true for all truthy values: 1, true, on and yes - Returns false otherwise.

If the option FILTER_NULL_ON_FAILURE is used, false is returned only for falsey values: 0, false, off, no, and ''. A non-boolean value returns null

FILTER_VALIDATE_EMAIL

validate_email

default

 

Validates value as an e-mail.

FILTER_VALIDATE_FLOAT

float

default, decimal

FILTER_FLAG_ALLOW_THOUSAND

Validates value as floating point number.

FILTER_VALIDATE_INT

int

default, min_range, max_range

FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX

Validates value as integer number, optionally from the specified range. Defaults to allowing only decimal numbers, but may optionally allow octal and hex numbers.

FILTER_VALIDATE_IP

validate_ip

default

FILTER_FLAG_IPV4, FILTER_FLAG_IPV6,FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE

Validates value as IP address, optionally only IPv4 or IPv6, and can disallow private or reserved ranges.

FILTER_VALIDATE_REGEXP

validate_regexp

default, regexp

 

Validates value against a specified regexp, a Perl-compatible regular expression (PCRE).

FILTER_VALIDATE_URL

validate_url

default

FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED

Validates value as a URL (according to RFC2396), optionally require a path, or query string.

Sanitation Filters

Constant

Name

Flags

Description

FILTER_SANITIZE_EMAIL

email

 

Remove all characters except letters digits and the special characters: !#$%&’*+-/=?^_`{|}~@.[].

FILTER_SANITIZE_ENCODED

encoded

FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW,FILTER_FLAG_ENCODE_HIGH

URL encode string, optionally strip or encode special characters.

FILTER_SANITIZE_MAGIC_QUOTES

magic_quotes

 

Apply addslashes().

FILTER_SANITIZE_NUMBER_FLOAT

number_float

FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND,FILTER_FLAG_ALLOW_SCIENTIFIC

Remove all characters except digits, plus and minus sign and optionally .,eE.

FILTER_SANITIZE_NUMBER_INT

number_int

 

Remove all characters except digits, plus and minus sign.

FILTER_SANITIZE_SPECIAL_CHARS

special_chars

FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_HIGH

HTML-escape '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.

FILTER_SANITIZE_FULL_SPECIAL_CHARS

full_special_chars

FILTER_FLAG_NO_ENCODE_QUOTES

The same as calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by settingFILTER_FLAG_NO_ENCODE_QUOTES. Uses the default-charset INI setting. If a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.

FILTER_SANITIZE_STRING

string

FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW,FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH,FILTER_FLAG_ENCODE_AMP

Strip tags, optionally strip or encode special characters.

FILTER_SANITIZE_STRIPPED

stripped

 

Alias of FILTER_SANITIZE_STRING.

FILTER_SANITIZE_URL

url

 

Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]\<>#%“;/?:@&=`.

FILTER_UNSAFE_RAW

unsafe_raw

FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_ENCODE_LOW,FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP

Do nothing, optionally strip or encode special characters. Used to access original data when using a default filter.

Flags

Constant

Used with

Description

FILTER_FLAG_STRIP_LOW

FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW

Strips characters with a numerical value < 32.

FILTER_FLAG_STRIP_HIGH

FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING, FILTER_UNSAFE_RAW

Strips characters with a numerical value > 127.

FILTER_FLAG_ALLOW_FRACTION

FILTER_SANITIZE_NUMBER_FLOAT

Allows a period (.) as a fractional separator in numbers.

FILTER_FLAG_ALLOW_THOUSAND

FILTER_SANITIZE_NUMBER_FLOAT, FILTER_VALIDATE_FLOAT

Allows a comma (,) as a thousands separator in numbers.

FILTER_FLAG_ALLOW_SCIENTIFIC

FILTER_SANITIZE_NUMBER_FLOAT

Allows an e or E for scientific notation in numbers.

FILTER_FLAG_NO_ENCODE_QUOTES

FILTER_SANITIZE_STRING

Do not encode single (') or double (") quotes.

FILTER_FLAG_ENCODE_LOW

FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW

Encodes all characters with a numerical value < 32.

FILTER_FLAG_ENCODE_HIGH

FILTER_SANITIZE_ENCODED, FILTER_SANITIZE_SPECIAL_CHARS, FILTER_SANITIZE_STRING,FILTER_SANITIZE_RAW

Encodes all characters with a numerical value > 127.

FILTER_FLAG_ENCODE_AMP

FILTER_SANITIZE_STRING, FILTER_SANITIZE_RAW

Encodes ampersands (&).

FILTER_NULL_ON_FAILURE

FILTER_VALIDATE_BOOLEAN

Returns null for unrecognized boolean values.

FILTER_FLAG_ALLOW_OCTAL

FILTER_VALIDATE_INT

Allows inputs starting with a zero (0) as octal numbers. This only allows the succeeding digits to be 0-7.

FILTER_FLAG_ALLOW_HEX

FILTER_VALIDATE_INT

Allows inputs starting with 0x or 0X as hexadecimal numbers. This only allows succeeding characters to be a-fA-F0-9.

FILTER_FLAG_IPV4

FILTER_VALIDATE_IP

Allows IPv4 addresses

FILTER_FLAG_IPV6

FILTER_VALIDATE_IP

Allows IPv6 addresses.

FILTER_FLAG_NO_PRIV_RANGE

FILTER_VALIDATE_IP

Disallows the following private IPv4 ranges: 10.0.0.0/8172.16.0.0/12 and 192.168.0.0/16.

Disallows IPv6 addresses starting with FD or FC.

FILTER_FLAG_NO_RES_RANGE

FILTER_VALIDATE_IP

Disallows the following reserved IPv4 ranges: 0.0.0.0/8169.254.0.0/16192.0.2.0/24, and 224.0.0.0/4. This flag does not apply to IPv6 addresses.

FILTER_FLAG_PATH_REQUIRED

FILTER_VALIDATE_URL

Requires that the URL contains a path part.

FILTER_FLAG_QUERY_REQUIRED

FILTER_VALIDATE_URL

Requires that the URL contains a query string.