← Back to glossary

filter_var()

PHP PHP 5.2+ Beginner

debt(d5/e3/b3/t7)

d5 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'specialist tool catches it' (d5). The detection_hints list phpstan and semgrep — both specialist static analysis tools — as the means to catch misuse patterns like manual regex email validation or treating sanitised output as validated. The misuse is not caught by the compiler or a default linter, requiring deliberate tooling setup.

e3 Effort Remediation debt — work required to fix once spotted

Closest to 'simple parameterised fix' (e3). The quick_fix indicates replacing misuse with the appropriate filter_var($input, FILTER_VALIDATE_*) call, possibly combined with separate sanitisation for output context. This is a small, localised change — replacing a pattern within one component — not a single one-liner swap because multiple call sites and the sanitisation/validation distinction must be addressed.

b3 Burden Structural debt — long-term weight of choosing wrong

Closest to 'localised tax' (b3). The choice applies to web and CLI contexts in PHP, but misuse of filter_var is localised to input-handling code rather than being load-bearing across the entire codebase. Each misuse is independent and doesn't create a gravitational pull on unrelated components.

t7 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'serious trap' (t7). The misconception field explicitly states that FILTER_VALIDATE_EMAIL is widely believed to confirm deliverability when it only validates RFC 5321 syntax format. Additionally, common_mistakes reveal that FILTER_SANITIZE_* is confused with validation, and FILTER_VALIDATE_URL silently accepts dangerous schemes like javascript: and data: — multiple serious contradictions between what the function names imply and what they actually do, scoring near 't7' for contradicting reasonable developer expectations about similarly-named concepts.

About DEBT scoring → scored by claude-sonnet-4-6 · 2026-05-07 · reviewed by human

Also Known As

filter_var() PHP input filtering FILTER_VALIDATE_EMAIL

TL;DR

PHP's built-in input validation and sanitisation function supporting email, URL, IP, int, and float validators.

Explanation

filter_var($value, FILTER_VALIDATE_*) validates and optionally sanitises input against a wide range of types. FILTER_VALIDATE_URL checks URL structure; FILTER_VALIDATE_EMAIL checks email format; FILTER_VALIDATE_IP validates IP addresses. Sanitise filters (FILTER_SANITIZE_*) remove or encode unwanted characters. Note that FILTER_VALIDATE_URL accepts javascript: and data: URIs — additional checks are needed when the URL will be used in a redirect or src attribute.

Common Misconception

✗ FILTER_VALIDATE_EMAIL confirms an email address exists and is deliverable. It only checks format against RFC 5321 syntax rules — it does not verify the domain has MX records or that the mailbox exists. An SMTP handshake or confirmation email is required for delivery verification.

Why It Matters

filter_var() provides built-in, well-tested validation and sanitisation for common types (email, URL, IP, integer) — custom regex validation for these types is almost always less complete.

Common Mistakes

Using FILTER_SANITIZE_* and treating the output as validated input — sanitisation removes characters, it does not validate semantics.
Using FILTER_VALIDATE_EMAIL and treating a valid result as deliverable — it validates format, not existence.
Not passing flags to FILTER_VALIDATE_INT to restrict range — validates as integer but allows negative or huge values.
Using filter_var for URL validation in security contexts — it accepts javascript: and data: URLs which are dangerous.

Code Examples

✗ Vulnerable

// Sanitise then use without validation:
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
sendEmail($email); // Sanitised but may still not be a valid address

// Validate then use:
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) throw new InvalidArgumentException('...');

✓ Fixed

// Validate
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($email === false) { throw new \InvalidArgumentException('Invalid email'); }

$url = filter_var($_POST['url'], FILTER_VALIDATE_URL);
$ip  = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
$int = filter_var($_GET['page'], FILTER_VALIDATE_INT, ['options' => ['min_range' => 1]]);

// Sanitise (removes dangerous chars — less reliable than allow-listing)
$clean = filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS);

// filter_input reads from superglobals safely
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT) ?? 1;

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,506 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Scrapy 12 Perplexity 10 Amazonbot 7 Ahrefs 4 Google 4 SEMrush 3 Majestic 2 Unknown AI 2 Claude 2 ChatGPT 2 Bing 1 Meta AI 1 PetalBot 1

Also referenced

Server-Side Request Forgery (SSRF) 65 Open Redirect 38

How they use it

crawler 47 crawler_json 4

Related categories

php 13.1k security 7.9k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Use filter_var($input, FILTER_VALIDATE_EMAIL/INT/URL) for type validation, but always sanitise for the output context separately — validation ≠ sanitisation

📦 Applies To

PHP 5.2+ web cli

🔗 Prerequisites

Input Validation vs Output Encoding Allowlist vs Blocklist Cross-Site Scripting (XSS)

🔍 Detection Hints

Manual regex email validation instead of FILTER_VALIDATE_EMAIL; no input type checking before use

Auto-detectable: ✓ Yes phpstan semgrep

⚠ Related Problems

SQL Injection Cross-Site Scripting (XSS)

🤖 AI Agent

Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line

CWE-20

References

https://www.php.net/manual/en/function.filter-var.php