PHP Validate filters

Validate filters

**Listing of filters for validation**
ID	Name	Options	Flags	Description
`FILTER_VALIDATE_BOOLEAN`	"boolean"		`FILTER_NULL_ON_FAILURE`	Returns `TRUE` for "1", "true", "on" and "yes". Returns `FALSE` otherwise. If `FILTER_NULL_ON_FAILURE` is set, `FALSE` is returned only for "0", "false", "off", "no", and "", and `NULL` is returned for all non-boolean values.
`FILTER_VALIDATE_EMAIL`	"validate_email"			Validates value as e-mail.
`FILTER_VALIDATE_FLOAT`	"float"	`decimal`	`FILTER_FLAG_ALLOW_THOUSAND`	Validates value as float.
`FILTER_VALIDATE_INT`	"int"	`min_range`, `max_range`	`FILTER_FLAG_ALLOW_OCTAL`, `FILTER_FLAG_ALLOW_HEX`	Validates value as integer, optionally from the specified range.
`FILTER_VALIDATE_IP`	"validate_ip"		`FILTER_FLAG_IPV4`, `FILTER_FLAG_IPV6`, `FILTER_FLAG_NO_PRIV_RANGE`, `FILTER_FLAG_NO_RES_RANGE`	Validates value as IP address, optionally only IPv4 or IPv6 or not from private or reserved ranges.
`FILTER_VALIDATE_REGEXP`	"validate_regexp"	`regexp`		Validates value against `regexp`, a Perl-compatible regular expression.
`FILTER_VALIDATE_URL`	"validate_url"		`FILTER_FLAG_PATH_REQUIRED`, `FILTER_FLAG_QUERY_REQUIRED`	Validates value as URL (according to » http://www.faqs.org/rfcs/rfc2396), optionally with required components. Beware a valid URL may not specify the HTTP protocol `http://` so further validation may be required to determine the URL uses an expected protocol, e.g. `ssh://` or `mailto:`. Note that the function will only find ASCII URLs to be valid; internationalized domain names (containing non-ASCII characters) will fail.

Note:
Numbers +0 and -0 are not valid integers but validate as floats.

用户评论:

rowan dot collins at gmail dot com (2013-03-17 20:22:28)

Regarding "partial" addresses with no . in the domain part, a comment in the source code (in ext/filter/logical_filters.c) justifies this rejection thus: * The regex below is based on a regex by Michael Rushton. * However, it is not identical. I changed it to only consider routeable * addresses as valid. Michael's regex considers a@b a valid address * which conflicts with section 2.3.5 of RFC 5321 which states that: * * Only resolvable, fully-qualified domain names (FQDNs) are permitted * when domain names are used in SMTP. In other words, names that can * be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed * in Section 5) are permitted, as are CNAME RRs whose targets can be * resolved, in turn, to MX or address RRs. Local nicknames or * unqualified names MUST NOT be used.

boy at relaxnow dot nl (2012-10-19 14:06:13)

FILTER_VALIDATE_URL does not work with URNs, examples of valid URIs according to RFC3986 and if they are accepted by FILTER_VALIDATE_URL: [PASS] ftp://ftp.is.co.za.example.org/rfc/rfc1808.txt [PASS] gopher://spinaltap.micro.umn.example.edu/00/Weather/California/Los%20Angeles [PASS] http://www.math.uio.no.example.net/faq/compression-faq/part1.html [PASS] mailto:mduerst@ifi.unizh.example.gov [PASS] news:comp.infosystems.www.servers.unix [PASS] telnet://melvyl.ucop.example.edu/ [PASS] http://www.ietf.org/rfc/rfc2396.txt [PASS] ldap://[2001:db8::7]/c=GB?objectClass?one [PASS] mailto:John.Doe@example.com [PASS] news:comp.infosystems.www.servers.unix [FAIL] tel:+1-816-555-1212 [PASS] telnet://192.0.2.16:80/ [FAIL] urn:oasis:names:specification:docbook:dtd:xml:4.1.2

bee kay two at em ee dot com (2012-05-06 04:45:29)

Notably missing is a way to validate text entry as printable, printable multiline, or printable and safe (tag free) FILTER_VALIDATE_TEXT, which validates no special characters perhaps with FILTER_FLAG_ALLOW_NEWLINE and FILTER_FLAG_NOTAG to disallow tag starters

Tom (2012-04-09 10:08:46)

Be aware! In contrary to what the docs say (at least in PHP 5.3.1), this line: $value = filter_var(FALSE, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); Will return NULL - not false. In other words: a boolean FALSE is not considered a valid boolean value by this function. Also: $value = filter_var("", FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); Will also return NULL - no matter what the docs say. So (string) FALSE is not considered a valid boolean input either. Thus be aware the that correct usage/workaround for this filter is: if (!is_bool($value)) { $value= filter_var($value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); } For those of you who feel this is counterintuitive, note that there is an issue filed for this in the bug-tracker. So you might want to follow the discussion there or vote for issue #49510.

Levi Morrison (2011-10-26 12:10:31)

It's important to note that in PHP, false==null is true. This means when you are using the FILTER_VALIDATE_BOOLEAN, you must use '===' and '!==' to check to see if something is/isn't null. <?php $false = filter_var('0', FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE); if ($false==null) { //will execute } if ($false===null) { //will not execute } ?>

Griff (2011-09-01 04:28:30)

<< FILTER_VALIDATE_EMAIL allows incomplete e-mail addresses to be validated, for examle john@gmail will validate as a proper e-mail address >> "Plain" hostnames with no dots are valid in email addresses - for example, "me@localhost".

php at sethsyberg dot com (2011-04-07 13:00:18)

When validating floats, you must use the Identical/Not identical operators for proper validation of zeros: This will not work as expected: <?php $x = 0; if (!filter_var($x, FILTER_VALIDATE_FLOAT)) { echo "$x is a valid float"; } else { echo "$x is NOT a valid float"; } ?> This will work as expected: <?php $x = 0; if (filter_var($x, FILTER_VALIDATE_FLOAT)!== false) { echo "$x is a valid float"; } else { echo "$x is NOT a valid float"; } ?>

chastell at chastell dot net (2011-03-15 07:54:04)

example@example is a perfectly valid email address – I use chastell@localhost and chastell@devielle (my computer’s name) email addresses all the time and they get delivered just fine.

eleljrk at gmail dot com (2011-02-19 07:23:25)

For PHP 5.3.1 FILTER_VALIDATE_EMAIL does validate incomplete email addresses such as: example@example Otherwise it's really good because FILTER_VALIDATE_EMAIL validates the standards of the local part very well. This is a valid email address: "this is a valid email@[]{}and it should be"@example.com And FILTER_VALIDATE_EMAIL validate it. But this isn't a valid email address: "this is a valid email@[]{}and it should be"@example However, FILTER_VALIDATE_EMAIL does validate it.

php dot net at piskvor dot org (2011-02-11 08:57:46)

FILTER_VALIDATE_EMAIL is discarding valid e-mail addresses containing IDN. Since there are real, live IDNs on the Internet, that means the filtered output is too strict, leading to false negatives. Punycode-encoded IDN addresses pass the filter correctly; so before checking for validity, it is necessary to convert the e-mail address to punycode.

Clifton (2011-01-05 08:00:01)

FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated as mentioned by Tomas. Using the following code: <?php $email = "clifton@example"; //Note the .com missing echo "PHP Version: ".phpversion().'<br>'; if(filter_var($email, FILTER_VALIDATE_EMAIL)){ echo $email.'<br>'; var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); }else{ var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); } ?> Returns: PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed. bool(false) While the following code: <?php $email = "clifton@example.com"; //Note the .com added echo "PHP Version: ".phpversion().'<br>'; if(filter_var($email, FILTER_VALIDATE_EMAIL)){ echo $email.'<br>'; var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); }else{ var_dump(filter_var($email, FILTER_VALIDATE_EMAIL)); } ?> Returns: PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed. clifton@example.com string(16) "clifton@example.com" This feature is only available for PHP Versions (PHP 5 >= 5.2.0) according to documentation. So make sure your version is correct. Cheers, Clifton

tomas dot chlouba at gmail dot com (2010-12-18 08:42:56)

FILTER_VALIDATE_EMAIL allows incomplete e-mail addresses to be validated, for examle john@gmail will validate as a proper e-mail address.

pravila at alumni dot calpoly dot edu (2010-03-21 08:53:35)

Take caution when using the FILTER_VALIDATE_BOOLEAN filter as it seems to have different behaviors when used in the filter_var() vs. the filter_input() functions. To demonstrate, let's parse some arguments from a GET request (notice how arg2 is NOT set): example.com/script.php?arg1=yes&arg3=no <?php // filtering by variable $var1 = filter_var($_GET["arg1"], FILTER_VALIDATE_BOOLEAN); $var2 = filter_var($_GET["arg2"], FILTER_VALIDATE_BOOLEAN); $var3 = filter_var($_GET["arg3"], FILTER_VALIDATE_BOOLEAN); // filtering by input $input1 = filter_input(INPUT_GET, "arg1", FILTER_VALIDATE_BOOLEAN); $input2 = filter_input(INPUT_GET, "arg2", FILTER_VALIDATE_BOOLEAN); $input3 = filter_input(INPUT_GET, "arg3", FILTER_VALIDATE_BOOLEAN); // as expected... var_dump($var1); // bool(true) var_dump($var2); // bool(false) var_dump($var3); // bool(false) // NULL is not an expected return... var_dump($input1); // bool(true) var_dump($input2); // NULL var_dump($input3); // bool(false) ?> As per the documentation, the return is limited to true XOR false unless the FILTER_NULL_ON_FAILURE flag is set, but it seems as if this flag is set automatically with the filter_input() function. (Note: same behavior for filter_var_array() vs. filter_input_array())