← Back to glossary

filter_var()

php PHP 5.2+ Beginner

Also Known As

filter_var() PHP input filtering FILTER_VALIDATE_EMAIL

TL;DR

PHP's built-in input validation and sanitisation function supporting email, URL, IP, int, and float validators.

Explanation

filter_var($value, FILTER_VALIDATE_*) validates and optionally sanitises input against a wide range of types. FILTER_VALIDATE_URL checks URL structure; FILTER_VALIDATE_EMAIL checks email format; FILTER_VALIDATE_IP validates IP addresses. Sanitise filters (FILTER_SANITIZE_*) remove or encode unwanted characters. Note that FILTER_VALIDATE_URL accepts javascript: and data: URIs — additional checks are needed when the URL will be used in a redirect or src attribute.

Common Misconception

✗ FILTER_VALIDATE_EMAIL confirms an email address exists and is deliverable. It only checks format against RFC 5321 syntax rules — it does not verify the domain has MX records or that the mailbox exists. An SMTP handshake or confirmation email is required for delivery verification.

Why It Matters

filter_var() provides built-in, well-tested validation and sanitisation for common types (email, URL, IP, integer) — custom regex validation for these types is almost always less complete.

Common Mistakes

Using FILTER_SANITIZE_* and treating the output as validated input — sanitisation removes characters, it does not validate semantics.
Using FILTER_VALIDATE_EMAIL and treating a valid result as deliverable — it validates format, not existence.
Not passing flags to FILTER_VALIDATE_INT to restrict range — validates as integer but allows negative or huge values.
Using filter_var for URL validation in security contexts — it accepts javascript: and data: URLs which are dangerous.

Code Examples

✗ Vulnerable

// Sanitise then use without validation:
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
sendEmail($email); // Sanitised but may still not be a valid address

// Validate then use:
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) throw new InvalidArgumentException('...');

✓ Fixed

// Validate
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($email === false) { throw new \InvalidArgumentException('Invalid email'); }

$url = filter_var($_POST['url'], FILTER_VALIDATE_URL);
$ip  = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);
$int = filter_var($_GET['page'], FILTER_VALIDATE_INT, ['options' => ['min_range' => 1]]);

// Sanitise (removes dangerous chars — less reliable than allow-listing)
$clean = filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS);

// filter_input reads from superglobals safely
$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT) ?? 1;

References

↗ https://www.php.net/manual/en/function.filter-var.php

Tags

Added 15 Mar 2026

Edited 22 Mar 2026

Curated in Warsaw under one editorial standard. 1,444 terms, single voice. About this reference →

Rate this term

No ratings yet

🤖 AI Guestbook educational data only

| |

Last 30 days

Agents 0

No pings yet today

No pings yesterday

Perplexity 8 Amazonbot 6 Ahrefs 2 Unknown AI 2 Google 2 Majestic 1

Also referenced

Server-Side Request Forgery (SSRF) 24 Open Redirect 16

How they use it

crawler 20 crawler_json 1

Related categories

php 6.3k security 4k

⚡ DEV INTEL Tools & Severity

🟡 Medium ⚙ Fix effort: Low

⚡ Quick Fix

Use filter_var($input, FILTER_VALIDATE_EMAIL/INT/URL) for type validation, but always sanitise for the output context separately — validation ≠ sanitisation

📦 Applies To

PHP 5.2+ web cli

🔗 Prerequisites

Input Validation vs Output Encoding Allowlist vs Blocklist Cross-Site Scripting (XSS)

🔍 Detection Hints

Manual regex email validation instead of FILTER_VALIDATE_EMAIL; no input type checking before use

Auto-detectable: ✓ Yes phpstan semgrep

⚠ Related Problems

SQL Injection Cross-Site Scripting (XSS) data corruption

🤖 AI Agent

Confidence: Medium False Positives: Medium ✓ Auto-fixable Fix: Low Context: Line

CWE-20