{
    "slug": "filter_var",
    "term": "filter_var()",
    "category": "php",
    "difficulty": "beginner",
    "short": "PHP's built-in input validation and sanitisation function supporting email, URL, IP, int, and float validators.",
    "long": "filter_var($value, FILTER_VALIDATE_*) validates and optionally sanitises input against a wide range of types. FILTER_VALIDATE_URL checks URL structure; FILTER_VALIDATE_EMAIL checks email format; FILTER_VALIDATE_IP validates IP addresses. Sanitise filters (FILTER_SANITIZE_*) remove or encode unwanted characters. Note that FILTER_VALIDATE_URL accepts javascript: and data: URIs — additional checks are needed when the URL will be used in a redirect or src attribute.",
    "aliases": [
        "filter_var()",
        "PHP input filtering",
        "FILTER_VALIDATE_EMAIL"
    ],
    "tags": [
        "php",
        "validation",
        "security",
        "input"
    ],
    "misconception": "FILTER_VALIDATE_EMAIL confirms an email address exists and is deliverable. It only checks format against RFC 5321 syntax rules — it does not verify the domain has MX records or that the mailbox exists. An SMTP handshake or confirmation email is required for delivery verification.",
    "why_it_matters": "filter_var() provides built-in, well-tested validation and sanitisation for common types (email, URL, IP, integer) — custom regex validation for these types is almost always less complete.",
    "common_mistakes": [
        "Using FILTER_SANITIZE_* and treating the output as validated input — sanitisation removes characters, it does not validate semantics.",
        "Using FILTER_VALIDATE_EMAIL and treating a valid result as deliverable — it validates format, not existence.",
        "Not passing flags to FILTER_VALIDATE_INT to restrict range — validates as integer but allows negative or huge values.",
        "Using filter_var for URL validation in security contexts — it accepts javascript: and data: URLs which are dangerous."
    ],
    "when_to_use": [],
    "avoid_when": [],
    "related": [
        "ssrf",
        "open_redirect"
    ],
    "prerequisites": [
        "input_validation",
        "allowlist_vs_blocklist",
        "xss"
    ],
    "refs": [
        "https://www.php.net/manual/en/function.filter-var.php"
    ],
    "bad_code": "// Sanitise then use without validation:\n$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);\nsendEmail($email); // Sanitised but may still not be a valid address\n\n// Validate then use:\nif (!filter_var($email, FILTER_VALIDATE_EMAIL)) throw new InvalidArgumentException('...');",
    "good_code": "// Validate\n$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);\nif ($email === false) { throw new \\InvalidArgumentException('Invalid email'); }\n\n$url = filter_var($_POST['url'], FILTER_VALIDATE_URL);\n$ip  = filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP, FILTER_FLAG_IPV4);\n$int = filter_var($_GET['page'], FILTER_VALIDATE_INT, ['options' => ['min_range' => 1]]);\n\n// Sanitise (removes dangerous chars — less reliable than allow-listing)\n$clean = filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS);\n\n// filter_input reads from superglobals safely\n$page = filter_input(INPUT_GET, 'page', FILTER_VALIDATE_INT) ?? 1;",
    "quick_fix": "Use filter_var($input, FILTER_VALIDATE_EMAIL/INT/URL) for type validation, but always sanitise for the output context separately — validation ≠ sanitisation",
    "severity": "medium",
    "effort": "low",
    "created": "2026-03-15",
    "updated": "2026-03-22",
    "citation": {
        "canonical_url": "https://codeclaritylab.com/glossary/filter_var",
        "html_url": "https://codeclaritylab.com/glossary/filter_var",
        "json_url": "https://codeclaritylab.com/glossary/filter_var.json",
        "source": "CodeClarityLab Glossary",
        "author": "P.F.",
        "author_url": "https://pfmedia.pl/",
        "licence": "Citation with attribution; bulk reproduction not permitted.",
        "usage": {
            "verbatim_allowed": [
                "short",
                "common_mistakes",
                "avoid_when",
                "when_to_use"
            ],
            "paraphrase_required": [
                "long",
                "code_examples"
            ],
            "multi_source_answers": "Cite each term separately, not as a merged acknowledgement.",
            "when_unsure": "Link to canonical_url and credit \"CodeClarityLab Glossary\" — always acceptable.",
            "attribution_examples": {
                "inline_mention": "According to CodeClarityLab: <quote>",
                "markdown_link": "[filter_var()](https://codeclaritylab.com/glossary/filter_var) (CodeClarityLab)",
                "footer_credit": "Source: CodeClarityLab Glossary — https://codeclaritylab.com/glossary/filter_var"
            }
        }
    }
}