PHP 8.4.0 RC4 available for testing

検証フィルタ

検証用のフィルタの一覧
ID 名前 オプション フラグ 説明
FILTER_VALIDATE_BOOLEAN, FILTER_VALIDATE_BOOL "boolean" default FILTER_NULL_ON_FAILURE

"1"、"true"、"on" および "yes" の場合に true、 それ以外の場合に false を返します。

FILTER_NULL_ON_FAILURE が設定されている場合は、 false が返されるのは "0"、"false"、"off"、"no" および "" の場合のみとなります。 boolean 以外の値については null を返します。

文字列の値については、 比較する前に先頭および末尾にあるホワイトスペースが取り除かれます。 取り除くために、trim() 関数を使います。

FILTER_VALIDATE_DOMAIN "validate_domain" default FILTER_FLAG_HOSTNAME, FILTER_NULL_ON_FAILURE

ドメイン名ラベルの長さが妥当であるかを検証します。

ドメイン名が RFC 1034, RFC 1035, RFC 952, RFC 1123, RFC 2732, RFC 2181, RFC 1123 に照らして正しいかを検証します。 オプションのフラグ FILTER_FLAG_HOSTNAME を使うと、 ホスト名 (アルファベットか数字で始まり、 アルファベットか数字、もしくはハイフンのみが 含まれている必要があります) も追加で検証できます。

FILTER_VALIDATE_EMAIL "validate_email" default FILTER_FLAG_EMAIL_UNICODE, FILTER_NULL_ON_FAILURE

値が妥当な e-mail アドレスであるかどうかを検証します。

この検証は、e-mail アドレスが » RFC 822addr-spec 形式 に沿ったものであるかどうかを確かめます。 ただし、コメント、空白の折り返し (whitespace folding) および ドットなしドメイン名 (dotless domain name) には対応していません。

FILTER_VALIDATE_FLOAT "float" default, decimal, min_range, max_range FILTER_FLAG_ALLOW_THOUSAND, FILTER_NULL_ON_FAILURE

値が float であるかどうかを検証し、オプションで指定された範囲にあるかを調べます。成功した場合は値を float に変換します。

文字列の値については、 比較する前に先頭および末尾にあるホワイトスペースが取り除かれます。 取り除くために、trim() 関数を使います。

FILTER_VALIDATE_INT "int" default, min_range, max_range FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX, FILTER_NULL_ON_FAILURE

値が整数であるかどうか、オプションで指定した範囲内にあるかどうかを検証し、成功した場合は整数に変換します。

文字列の値については、 比較する前に先頭および末尾にあるホワイトスペースが取り除かれます。 取り除くために、trim() 関数を使います。

FILTER_VALIDATE_IP "validate_ip" default FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE, FILTER_FLAG_GLOBAL_RANGE, FILTER_NULL_ON_FAILURE 値が IP アドレスであるかどうかを検証します。 オプションで IPv4 あるいは IPv6 のみの指定、 プライベートアドレスや予約済みアドレスではないことの指定もできます。
FILTER_VALIDATE_MAC "validate_mac_address" default FILTER_NULL_ON_FAILURE 値が MAC アドレスであるかどうかを検証します。
FILTER_VALIDATE_REGEXP "validate_regexp" default, regexp FILTER_NULL_ON_FAILURE 値が、Perl 互換の 正規表現 regexp に一致するかどうかを検証します。
FILTER_VALIDATE_URL "validate_url" default FILTER_FLAG_SCHEME_REQUIRED, FILTER_FLAG_HOST_REQUIRED, FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED, FILTER_NULL_ON_FAILURE 値が URL 形式である (» http://www.faqs.org/rfcs/rfc2396 に準拠している) かどうか、 オプションで、必須コンポーネントが含まれているかどうかを検証します。 妥当な URL が、HTTP プロトコル http:// を指定しているとは限りません。 つまり、その URL が期待通りのプロトコル (ssh://mailto: など) を使っているかどうか、さらなる検証が必要だということです。 この関数は、ASCII の URL のみを正しいとみなすことに注意しましょう。 国際化ドメイン名 (非 ASCII 文字を含むもの) は失敗します。

注意:

オプションに default を設定すると、値が検証されなかったときに default の値を使います。

変更履歴

バージョン 説明
8.0.0 FILTER_FLAG_SCHEME_REQUIRED および、 FILTER_VALIDATE_URL フィルタのための FILTER_FLAG_HOST_REQUIRED フラグは削除されました。 schemehost は (かつてもそうでしたが) 常に必須になっています。
8.0.0 FILTER_VALIDATE_BOOLEAN のエイリアスとして FILTER_VALIDATE_BOOL が追加されました。 FILTER_VALIDATE_BOOL を使う方が好ましいです。
7.4.0 FILTER_VALIDATE_FLOAT 向けに min_rangemax_range オプションが追加されました。
7.0.0 FILTER_FLAG_HOSTNAMEFILTER_VALIDATE_DOMAIN が追加されました。

add a note

User Contributed Notes 14 notes

up
46
boy at relaxnow dot nl
12 years ago
FILTER_VALIDATE_URL does not work with URNs, examples of valid URIs according to RFC3986 and if they are accepted by FILTER_VALIDATE_URL:

[PASS] ftp://ftp.is.co.za.example.org/rfc/rfc1808.txt
[PASS] gopher://spinaltap.micro.umn.example.edu/00/Weather/California/Los%20Angeles
[PASS] http://www.math.uio.no.example.net/faq/compression-faq/part1.html
[PASS] mailto:mduerst@ifi.unizh.example.gov
[PASS] news:comp.infosystems.www.servers.unix
[PASS] telnet://melvyl.ucop.example.edu/
[PASS] http://www.ietf.org/rfc/rfc2396.txt
[PASS] ldap://[2001:db8::7]/c=GB?objectClass?one
[PASS] mailto:John.Doe@example.com
[PASS] news:comp.infosystems.www.servers.unix
[FAIL] tel:+1-816-555-1212
[PASS] telnet://192.0.2.16:80/
[FAIL] urn:oasis:names:specification:docbook:dtd:xml:4.1.2
up
28
bee kay two at em ee dot com
12 years ago
Notably missing is a way to validate text entry as printable,
printable multiline,
or printable and safe (tag free)

FILTER_VALIDATE_TEXT, which validates no special characters
perhaps with FILTER_FLAG_ALLOW_NEWLINE
and FILTER_FLAG_NOTAG to disallow tag starters
up
14
MR Yekta
4 years ago
since php 7.4
you can use these 3 beautiful conditions for from validation for validation less, great or in range

<?php
/**
* less_than_equal_to
*/
$x = 50;
if (
filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["max_range" => 100]]) !== false) {
echo
"result : $x is less than OR equal to 100";
} else {
echo
"result : $x is NOT less than OR equal to 100";
}
?>
result : 50 is less than OR equal to 100

<?php
/**
* greater_than_equal_to
*/
$x = 50;
if (
filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["min_range" => 100]]) !== false) {
echo
"result : $x is greater than OR equal to 100";
} else {
echo
"result : $x is NOT greater than OR equal to 100";
}
?>
result : 50 is NOT greater than OR equal to 100

<?php
/**
* less_than_equal_to && greater_than_equal_to
*/
$x = 50;
if (
filter_var($x, FILTER_VALIDATE_FLOAT, ["options" => ["min_range" => 0 , "max_range"=> 100]]) !== false) {
echo
"result : $x is in range of 0 to 100";
} else {
echo
"result : $x in NOT range of 0 to 100";
}
?>
result : 50 is in range of 0 to 100
up
9
bryanwayb at gmail dot com
9 years ago
It's good to remember that using filter_var is primarily for filtering input values when doing boolean logic comparisons. Take the following:

$value = "12";
if(filter_var($value, FILTER_VALIDATE_INT))
{
// validated as an int
}

The above works as intended, except when $value = "0". In which case filter_var returns a 0, aka false when used as a boolean.

For the correct behavior, do a zero check.

$value = " 0 ";
$filtered = filter_var($value, FILTER_VALIDATE_INT);
if($filtered || $filtered === 0)
{
// validated as an int
}
up
10
Clifton
13 years ago
FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated as mentioned by Tomas.

Using the following code:

<?php
$email
= "clifton@example"; //Note the .com missing
echo "PHP Version: ".phpversion().'<br>';
if(
filter_var($email, FILTER_VALIDATE_EMAIL)){
echo
$email.'<br>';
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}else{
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}
?>

Returns:
PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.
bool(false)

While the following code:

<?php
$email
= "clifton@example.com"; //Note the .com added
echo "PHP Version: ".phpversion().'<br>';
if(
filter_var($email, FILTER_VALIDATE_EMAIL)){
echo
$email.'<br>';
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}else{
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}
?>

Returns:
PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.
clifton@example.com
string(16) "clifton@example.com"

This feature is only available for PHP Versions (PHP 5 >= 5.2.0) according to documentation. So make sure your version is correct.

Cheers,
Clifton
up
5
sebastian dot piskorski at gmail dot com
8 years ago
FILTER_VALIDATE_EMAIL not only doesn't support whitespace folding and comments. It only checks Addr-spec part of email address. Otherwise it should mark such address as valid: 'Test Example <test@example.com>' because it is valid according to RFC 822.

Also address "test@localhost" should be valid. Which is mentioned in another note.

You can test it with this code:
<?php

$emails
= array(
'Test Example <test@example.com>',
'test@localhost',
'test@localhost.com'
);

foreach (
$emails as $email) {
echo (
filter_var($email, FILTER_VALIDATE_EMAIL)) ?
"[+] Email '$email' is valid\n" :
"[-] Email '$email' is NOT valid\n";
}
?>

Output for PHP 5.3.21 - 7.0.1 :
[-] Email 'Test Example <test@example.com>' is NOT valid
[-] Email 'test@localhost' is NOT valid
[+] Email 'test@localhost.com' is valid
up
6
Lech
9 years ago
The description for FILTER_VALIDATE_URL seems incorrect/misleading. "Beware a valid URL may not specify the HTTP protocol" implies a valid URL cannot specify the HTTP protocol. I think "Beware a valid URL need not specify..." would be better.
up
6
php dot net at piskvor dot org
13 years ago
FILTER_VALIDATE_EMAIL is discarding valid e-mail addresses containing IDN. Since there are real, live IDNs on the Internet, that means the filtered output is too strict, leading to false negatives.

Punycode-encoded IDN addresses pass the filter correctly; so before checking for validity, it is necessary to convert the e-mail address to punycode.
up
6
rowan dot collins at gmail dot com
11 years ago
Regarding "partial" addresses with no . in the domain part, a comment in the source code (in ext/filter/logical_filters.c) justifies this rejection thus:

* The regex below is based on a regex by Michael Rushton.
* However, it is not identical. I changed it to only consider routeable
* addresses as valid. Michael's regex considers a@b a valid address
* which conflicts with section 2.3.5 of RFC 5321 which states that:
*
* Only resolvable, fully-qualified domain names (FQDNs) are permitted
* when domain names are used in SMTP. In other words, names that can
* be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed
* in Section 5) are permitted, as are CNAME RRs whose targets can be
* resolved, in turn, to MX or address RRs. Local nicknames or
* unqualified names MUST NOT be used.
up
2
gee2711 at googlemail dot com
6 years ago
FILTER_FLAG_QUERY_REQUIRED is failing URLs that are encoded e.g.

http://example.com/page.php?q=growing+big

Fails whilst

http://example.com/page.php?q=big

So anything more than one word encoded fails.

Tested on PHP version 7.1
up
2
kizge
8 years ago
FILTER_VALIDATE_INT first casts its value to string which produces unexpected result for bool and float (https://bugs.php.net/bug.php?id=72490):

<?php

// Prints int(1).
var_dump(filter_var(true, FILTER_VALIDATE_INT));

// ...but this prints bool(false).
var_dump(filter_var(false, FILTER_VALIDATE_INT));

// --------

// Prints bool(false).
var_dump(filter_var(1.1, FILTER_VALIDATE_INT));

// ...but this prints int(0).
var_dump(filter_var(0.0, FILTER_VALIDATE_INT));

// ...but this again is bool(false).
var_dump(filter_var('0.0', FILTER_VALIDATE_INT));

// Also bool(false).
var_dump(filter_var('-0.0', FILTER_VALIDATE_INT));

?>

Live sample: https://3v4l.org/CZW0W

The docs are not clear on how exactly this casting affects the result for certain input values.
up
2
Bastien
11 years ago
Rejection of so-called partial domains because of "missing" dot is not following section 2.3.5 of RFC 5321.

It says FQDNs are permitted, and com, org, or va are (well, may be) valids FQDNs. It depends on DNS, not on syntax.

Some TDLs (although few of them) have MX RRs, the for example "abuse@va" is correct.
up
0
rsnell at usgs dot gov
8 years ago
Note that if using FILTER_NULL_ON_FAILURE as a flag with the FILTER_VALIDATE_BOOLEAN id then NULL is no longer returned if the variable name is not set in the external variable array. It will instead return FALSE. In the description is says that when using the FILTER_NULL_ON_FAILURE flag that ' FALSE is returned only for "0", "false", "off", "no", and ""' an makes no mention of this additional state that can also return false. The behavior is mentioned on the filter_input documentation page under Return Values but that is not overly helpful if one is just looking here.

If FILTER_NULL_ON_FAILURE is not used then NULL is returned when the variable name is not set in the external variable array, TRUE is returned for "1", "true", "on" and "yes" and FALSE is returned for everything else.
up
0
maruerru at gmail dot com
9 years ago
Often I see some code like the following:
$value = "12";
if( filter_var($value, FILTER_VALIDATE_INT) )
{
// validated as an int
}

The above works as intended, except when $value is "0". In the above case it will be interpreted as FALSE.

For the correct behavior, you have not only to check if it is equal (==) to false, but also identic (===) to FALSE:
$value = " 0 ";
if( filter_var($value, FILTER_VALIDATE_INT) === FALSE )
{
// validated as an int
}

I hope, I could help.
To Top