filter_input

(PHP 5 >= 5.2.0, PHP 7, PHP 8)

filter_input — 通过名称获取特定的外部变量，并且可以通过过滤器处理它

说明

filter_input(
    int $type,
    string $var_name,
    int $filter = FILTER_DEFAULT,
    array|int $options = 0
): mixed

参数

type: INPUT_* 常量之一。
警告
在用户对超全局变量进行任何修改之前，正在过滤的超全局变量内容是 SAPI 提供的原始“原始”内容。要过滤修改后的超全局变量，请使用 filter_var()。
var_name: 在相应 type 的超全局变量中要过滤的变量名称。
filter: 要应用的过滤器。可以使用 FILTER_VALIDATE_* 常量作为验证过滤器，使用 FILTER_SANITIZE_* 或 FILTER_UNSAFE_RAW 作为清理过滤器，也可以使用 FILTER_CALLBACK 作为自定义过滤器。
注意: 默认值为 FILTER_DEFAULT，是 FILTER_UNSAFE_RAW 的别名。这将导致默认情况下不进行过滤。
options: 要么是选项的关联 array，要么是过滤器 flag 常量 FILTER_FLAG_* 的位掩码。如果 filter 接受选项（option），则可以使用数组的 "flags" 字段提供 flag。

返回值

成功时返回过滤后的变量。如果变量未设置，则返回 false。失败时也返回 false，当使用 FILTER_NULL_ON_FAILURE flag 时返回 null。

示例

示例 #1 filter_input() 示例

<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>

以上示例的输出类似于：

You have searched for Me &#38; son.
<a href='?search=Me%20%26%20son'>Search again.</a>

参见

filter_input_array() - 获取一系列外部变量，并且可以通过过滤器处理它们
filter_var() - 使用特定的过滤器过滤一个变量
filter_var_array() - 获取多个变量并且过滤它们
验证过滤器 FILTER_VALIDATE_*
清理过滤器 FILTER_SANITIZE_*

发现了问题？

了解如何改进此页面 • 提交拉取请求 • 报告一个错误

＋添加备注

用户贡献的备注 9 notes

down

100

CertaiN ¶

10 years ago

This function provides us the extremely simple solution for type filtering.

Without this function...
<?php
if (!isset($_GET['a'])) {
    $a = null;
} elseif (!is_string($_GET['a'])) {
    $a = false;
} else {
    $a = $_GET['a'];
}
$b = isset($_GET['b']) && is_string($_GET['b']) ? $_GET['b'] : '';
?>

With this function...
<?php
$a = filter_input(INPUT_GET, 'a');
$b = (string)filter_input(INPUT_GET, 'b');
?>

Yes, FILTER_REQUIRE_SCALAR seems to be set as a default option. 
It's very helpful for eliminating E_NOTICE, E_WARNING and E_ERROR. 
This fact should be documented.

down

anthony dot parsons at manx dot net ¶

17 years ago

FastCGI seems to cause strange side-effects with unexpected null values when using INPUT_SERVER and INPUT_ENV with this function. You can use this code to see if it affects your server:
<?php
var_dump($_SERVER);
foreach ( array_keys($_SERVER) as $b ) {
    var_dump($b, filter_input(INPUT_SERVER, $b));
}
echo '<hr>';
var_dump($_ENV);
foreach ( array_keys($_ENV) as $b ) {
    var_dump($b, filter_input(INPUT_ENV, $b));
}
?>
If you want to be on the safe side, using the superglobal $_SERVER and $_ENV variables will always work. You can still use the filter_* functions for Get/Post/Cookie without a problem, which is the important part!

down

rimelek at rimelek dot hu ¶

10 years ago

If your $_POST contains an array value:
<?php
$_POST  = array(
    'var' => array('more', 'than', 'one', 'values')
);
?>
you should use FILTER_REQUIRE_ARRAY option:
<?php
var_dump(filter_input(INPUT_POST, 'var', FILTER_DEFAULT , FILTER_REQUIRE_ARRAY));
?>
Otherwise it returns false.

down

ss23 at ss23 dot geek dot nz ¶

14 years ago

Note that this function doesn't (or at least doesn't seem to) actually filter based on the current values of $_GET etc. Instead, it seems to filter based off the original values.
<?php
$_GET['search'] = 'foo'; // This has no effect on the filter_input

$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>

If you need to set a default input value and filter that, use filter_var on your required input variable instead

down

Stefan Weinzierl ¶

10 years ago

Here is an example how to work with the options-parameter. Notice the 'options' in the 'options'-Parameter!

<?php
$options=array('options'=>array('default'=>5, 'min_range'=>0, 'max_range'=>9));

$priority=filter_input(INPUT_GET, 'priority', FILTER_VALIDATE_INT, $options);
?>

$priority will be 5 if the priority-Parameter isn't set or out the given range.

down

chris at chlab dot ch ¶

12 years ago

To use a class method for a callback function, as usual, provide an array with an instance of the class and the method name.
Example:

<?php
class myValidator
{
  public function username($value)
  {
    // return username or boolean false
  }
}

$myValidator = new myValidator;
$options = array('options' => array($myValidator, 'username'));
$username = filter_input(INPUT_GET, 'username', FILTER_CALLBACK, $options);
var_dump($username);
?>

down

akshay dot leadindia at gmail dot com ¶

11 years ago

The beauty of using this instead of directly using filter_var( $_GET['search'] ) is that you don't need to check if( isset( $_GET['search'] ) ) as if you pass that to filter_var and the key is not set then it will result in a warning. This function simplifies this and will return the relevant result to you (as per your options set) if the key has not been set in the user input. 

If the type of filter you are using also supports a 'default' argument then this function will also stuff your missing input key with that value, again saving your efforts

down

travismowens at gmail dot com ¶

14 years ago

I wouldn't recommend people use this function to store their data in a database.  It's best not to encode data when storing it, it's better to store it raw and convert in upon the time of need.

One main reason for this is because if you have a short CHAR(16) field and the text contains encoded characters (quotes, ampersand) you can easily take a 12 character entry which obviously fits, but because of encoding it no longer fits.

Also, while not as common, if you need to use this data in another place, such as a non webpage (perhaps in a desktop app, or to a cell phone SMS or to a pager) the HTML encoded data will appear raw, and now you have to decode the data.

In summary, the best way to architect your system, is to store data as raw, and encode it only the moment you need to.  So this means in your PHP upon doing a SQL query, instead of merely doing an   echo $row['title']  you need to run htmlentities() on your echos, or better yet, an abstract function.

down

HonzaZ ¶

2 years ago

In fastcgi sapi implementations, filter_input(INPUT_SERVER) can return empty results.

In my case (8.1.9 64bit php-cgi) it was caused by auto_globals_jit enabled . When disabled (in php.ini on php startup), filter_input(INPUT_SERVER) works correctly.

php-fpm sapi isn't affected.