PHP: Hypertext Preprocessor

验证过滤器

**用于验证的过滤器列表**
ID	名称	选项	flag	说明
`FILTER_VALIDATE_BOOLEAN`、`FILTER_VALIDATE_BOOL`	"boolean"	`default`	`FILTER_NULL_ON_FAILURE`	"1"、"true"、"on" 和 "yes" 时返回 `true`，否则返回 `false`。如果设置了 `FILTER_NULL_ON_FAILURE`，仅当 "0"、"false"、"off"、"no" 和 "" 时才会返回 `false`，其它非布尔值都会返回 `null`。字符串在对比前会使用 trim() 修剪。
`FILTER_VALIDATE_DOMAIN`	"validate_domain"	`default`	`FILTER_FLAG_HOSTNAME`、`FILTER_NULL_ON_FAILURE`	验证域名标签的长度是否有效。根据 RFC 1034、RFC 1035、RFC 952、RFC 1123、RFC 2732、RFC 2181 和 RFC 1123 的规范验证域名。可选的 flag `FILTER_FLAG_HOSTNAME` 会添加验证主机名的能力（它们必须以字母数字字符开头，并且只能包含字母数字字符或连字符）。
`FILTER_VALIDATE_EMAIL`	"validate_email"	`default`	`FILTER_FLAG_EMAIL_UNICODE`、`FILTER_NULL_ON_FAILURE`	验证值是否是有效的电子邮件地址。一般情况下，这将根据 » RFC 822 对电子邮件地址进行验证，使用 `addr-spec` 语法，并且不支持注释、空白折叠和无点域名的例外情况。
`FILTER_VALIDATE_FLOAT`	"float"	`default`、`decimal`、`min_range`、`max_range`	`FILTER_FLAG_ALLOW_THOUSAND`、`FILTER_NULL_ON_FAILURE`	将值作为浮点数验证，并且可选择在指定范围内进行验证，在验证成功后将其转换为浮点数。字符串在对比前会使用 trim() 修剪。
`FILTER_VALIDATE_INT`	"int"	`default`、`min_range`、`max_range`	`FILTER_FLAG_ALLOW_OCTAL`、`FILTER_FLAG_ALLOW_HEX`、`FILTER_NULL_ON_FAILURE`	将值作为整数验证，并且可选择在指定范围内进行验证，在验证成功后将其转换为整数。字符串在对比前会使用 trim() 修剪。
`FILTER_VALIDATE_IP`	"validate_ip"	`default`	`FILTER_FLAG_IPV4`、`FILTER_FLAG_IPV6`、`FILTER_FLAG_NO_PRIV_RANGE`、`FILTER_FLAG_NO_RES_RANGE`、`FILTER_FLAG_GLOBAL_RANGE`、`FILTER_NULL_ON_FAILURE`	将值作为 IP 地址验证，可选择仅验证 IPv4、IPv6 或不验证私有、保留范围。
`FILTER_VALIDATE_MAC`	"validate_mac_address"	`default`	`FILTER_NULL_ON_FAILURE`	将值作为 MAC 地址验证。
`FILTER_VALIDATE_REGEXP`	"validate_regexp"	`default`、`regexp`	`FILTER_NULL_ON_FAILURE`	根据 `regexp`（Perl 兼容的正则表达式）验证值。
`FILTER_VALIDATE_URL`	"validate_url"	`default`	`FILTER_FLAG_SCHEME_REQUIRED`、`FILTER_FLAG_HOST_REQUIRED`、`FILTER_FLAG_PATH_REQUIRED`、`FILTER_FLAG_QUERY_REQUIRED`、`FILTER_NULL_ON_FAILURE`	验证值是否为 URL（根据 » http://www.faqs.org/rfcs/rfc2396），并可选择验证 URL 所需的组件。请注意，有效的 URL 可能不会指定 HTTP 协议（`http://`），因此可能需要进一步验证以确定 URL 是否使用了期望的协议，如 `ssh://` 或`mailto:`。请注意，该函数只会认为 ASCII 编码的 URL 是有效的；国际化域名（包含非 ASCII 字符）将无法通过验证。

注意:
当将 default 设置到选项，如果值未通过验证，将使用 default 的值。

更新日志

版本	说明
8.0.0	`FILTER_VALIDATE_URL` 过滤器移除 `FILTER_FLAG_SCHEME_REQUIRED` 和 `FILTER_FLAG_HOST_REQUIRED` flag。 `scheme` 和 `host` 始终（一直以来）必需。
8.0.0	新增 `FILTER_VALIDATE_BOOL` 作为 `FILTER_VALIDATE_BOOLEAN` 的别名。优先使用 `FILTER_VALIDATE_BOOL`。
7.4.0	`FILTER_VALIDATE_FLOAT` 新增 `min_range` 和 `max_range` 选项。
7.0.0	新增 `FILTER_FLAG_HOSTNAME` 和 `FILTER_VALIDATE_DOMAIN`。

改进此页面

了解如何改进此页面 • 提交拉取请求 • 报告一个错误

＋添加备注

用户贡献的备注 14 notes

down

boy at relaxnow dot nl ¶

12 years ago

FILTER_VALIDATE_URL does not work with URNs, examples of valid URIs according to RFC3986 and if they are accepted by FILTER_VALIDATE_URL:



[PASS] ftp://ftp.is.co.za.example.org/rfc/rfc1808.txt

[PASS] gopher://spinaltap.micro.umn.example.edu/00/Weather/California/Los%20Angeles

[PASS] http://www.math.uio.no.example.net/faq/compression-faq/part1.html

[PASS] mailto:mduerst@ifi.unizh.example.gov

[PASS] news:comp.infosystems.www.servers.unix

[PASS] telnet://melvyl.ucop.example.edu/

[PASS] http://www.ietf.org/rfc/rfc2396.txt

[PASS] ldap://[2001:db8::7]/c=GB?objectClass?one

[PASS] mailto:John.Doe@example.com

[PASS] news:comp.infosystems.www.servers.unix

[FAIL] tel:+1-816-555-1212

[PASS] telnet://192.0.2.16:80/

[FAIL] urn:oasis:names:specification:docbook:dtd:xml:4.1.2

down

bee kay two at em ee dot com ¶

12 years ago

Notably missing is a way to validate text entry as printable,
printable multiline,
or printable and safe (tag free)

FILTER_VALIDATE_TEXT, which validates no special characters
perhaps with FILTER_FLAG_ALLOW_NEWLINE
and FILTER_FLAG_NOTAG to disallow tag starters

down

MR Yekta ¶

4 years ago

since php 7.4 
you can use these 3 beautiful conditions for from validation for validation less, great or in range

<?php
/**
 * less_than_equal_to
 */
$x = 50;
if (filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["max_range" => 100]]) !== false) {
    echo "result : $x is less than OR equal to 100";
} else {
    echo "result : $x is NOT less than OR equal to 100";
}
?>
result : 50 is less than OR equal to 100

<?php
/**
 * greater_than_equal_to 
 */
$x = 50;
if (filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["min_range" => 100]]) !== false) {
    echo "result : $x is greater than OR equal to 100";
} else {
    echo "result : $x is NOT greater than OR equal to 100";
}
?>
result : 50 is NOT greater than OR equal to 100

<?php
/**
 * less_than_equal_to && greater_than_equal_to
 */
$x = 50;
if (filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["min_range" => 0 , "max_range"=> 100]]) !== false) {
    echo "result : $x is in range of 0 to 100";
} else {
    echo "result : $x in NOT range of 0 to 100";
}
?>
result : 50 is in range of 0 to 100

down

bryanwayb at gmail dot com ¶

9 years ago

It's good to remember that using filter_var is primarily for filtering input values when doing boolean logic comparisons. Take the following:

$value = "12";
if(filter_var($value, FILTER_VALIDATE_INT))
{
    // validated as an int
}

The above works as intended, except when $value = "0". In which case filter_var returns a 0, aka false when used as a boolean.

For the correct behavior, do a zero check.

$value = " 0 ";
$filtered = filter_var($value, FILTER_VALIDATE_INT);
if($filtered || $filtered === 0)
{
    // validated as an int
}

down

Clifton ¶

13 years ago

FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated as mentioned by Tomas.



Using the following code:



<?php

$email = "clifton@example"; //Note the .com missing

echo "PHP Version: ".phpversion().'<br>';

if(filter_var($email, FILTER_VALIDATE_EMAIL)){

    echo $email.'<br>';

    var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));

}else{

    var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));    

}

?>



Returns:

PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.

bool(false)



While the following code:



<?php

$email = "clifton@example.com"; //Note the .com added

echo "PHP Version: ".phpversion().'<br>';

if(filter_var($email, FILTER_VALIDATE_EMAIL)){

    echo $email.'<br>';

    var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));

}else{

    var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));    

}

?>



Returns:

PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.

clifton@example.com

string(16) "clifton@example.com"



This feature is only available for PHP Versions (PHP 5 >= 5.2.0) according to documentation. So make sure your version is correct.



Cheers,

Clifton

down

sebastian dot piskorski at gmail dot com ¶

8 years ago

FILTER_VALIDATE_EMAIL not only doesn't support whitespace folding and comments. It only checks Addr-spec part of email address. Otherwise it should mark such address as valid: 'Test Example <test@example.com>' because it is valid according to RFC 822.

Also address "test@localhost" should be valid. Which is mentioned in another note.

You can test it with this code:
<?php

$emails = array(
    'Test Example <test@example.com>',
    'test@localhost',
    'test@localhost.com'
);

foreach ($emails as $email) {
    echo (filter_var($email, FILTER_VALIDATE_EMAIL)) ? 
        "[+] Email '$email' is valid\n" : 
        "[-] Email '$email' is NOT valid\n";
}
?>

Output for PHP 5.3.21 - 7.0.1 :
[-] Email 'Test Example <test@example.com>' is NOT valid
[-] Email 'test@localhost' is NOT valid
[+] Email 'test@localhost.com' is valid

down

Lech ¶

9 years ago

The description for FILTER_VALIDATE_URL seems incorrect/misleading. "Beware a valid URL may not specify the HTTP protocol" implies a valid URL cannot specify the HTTP protocol. I think "Beware a valid URL need not specify..." would be better.

down

php dot net at piskvor dot org ¶

13 years ago

FILTER_VALIDATE_EMAIL is discarding valid e-mail addresses containing IDN. Since there are real, live IDNs on the Internet, that means the filtered output is too strict, leading to false negatives.

Punycode-encoded IDN addresses pass the filter correctly; so before checking for validity, it is necessary to convert the e-mail address to punycode.

down

rowan dot collins at gmail dot com ¶

11 years ago

Regarding "partial" addresses with no . in the domain part, a comment in the source code (in ext/filter/logical_filters.c) justifies this rejection thus:

     * The regex below is based on a regex by Michael Rushton.
     * However, it is not identical.  I changed it to only consider routeable
     * addresses as valid.  Michael's regex considers a@b a valid address
     * which conflicts with section 2.3.5 of RFC 5321 which states that:
     *
     *   Only resolvable, fully-qualified domain names (FQDNs) are permitted
     *   when domain names are used in SMTP.  In other words, names that can
     *   be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed
     *   in Section 5) are permitted, as are CNAME RRs whose targets can be
     *   resolved, in turn, to MX or address RRs.  Local nicknames or
     *   unqualified names MUST NOT be used.

down

gee2711 at googlemail dot com ¶

6 years ago

FILTER_FLAG_QUERY_REQUIRED is failing URLs that are encoded e.g.

http://example.com/page.php?q=growing+big

Fails whilst

http://example.com/page.php?q=big

So anything more than one word encoded fails.

Tested on PHP version 7.1

down

kizge ¶

8 years ago

FILTER_VALIDATE_INT first casts its value to string which produces unexpected result for bool and float (https://bugs.php.net/bug.php?id=72490):

<?php

// Prints int(1).
var_dump(filter_var(true, FILTER_VALIDATE_INT));

// ...but this prints bool(false).
var_dump(filter_var(false, FILTER_VALIDATE_INT));

// --------

// Prints bool(false).
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));

// ...but this prints int(0).
var_dump(filter_var(0.0, FILTER_VALIDATE_INT));

// ...but this again is bool(false).
var_dump(filter_var('0.0', FILTER_VALIDATE_INT));

// Also bool(false).
var_dump(filter_var('-0.0', FILTER_VALIDATE_INT));

?>

Live sample: https://3v4l.org/CZW0W

The docs are not clear on how exactly this casting affects the result for certain input values.

down

Bastien ¶

11 years ago

Rejection of so-called partial domains because of "missing" dot is not following section 2.3.5 of RFC 5321.

It says FQDNs are permitted, and com, org, or va are (well, may be) valids FQDNs. It depends on DNS, not on syntax.

Some TDLs (although few of them) have MX RRs, the for example "abuse@va" is correct.

down

rsnell at usgs dot gov ¶

8 years ago

Note that if using FILTER_NULL_ON_FAILURE as a flag with the FILTER_VALIDATE_BOOLEAN id then NULL is no longer returned if the variable name is not set in the external variable array. It will instead return FALSE. In the description is says that when using the FILTER_NULL_ON_FAILURE flag that ' FALSE is returned only for "0", "false", "off", "no", and ""' an makes no mention of this additional state that can also return false. The behavior is mentioned on the filter_input documentation page under Return Values but that is not overly helpful if one is just looking here.

If FILTER_NULL_ON_FAILURE is not used then NULL is returned when the variable name is not set in the external variable array, TRUE is returned for "1", "true", "on" and "yes" and FALSE is returned for everything else.

down

maruerru at gmail dot com ¶

9 years ago

Often I see some code like the following:
$value = "12";
if( filter_var($value, FILTER_VALIDATE_INT) )
{
    // validated as an int
}

The above works as intended, except when $value is "0". In the above case it will be interpreted as FALSE.

For the correct behavior,  you have not only to check if it is equal (==) to false, but also identic (===) to FALSE:
$value = " 0 ";
if( filter_var($value, FILTER_VALIDATE_INT)  === FALSE )
{
    // validated as an int
}

I hope, I could help.