Sanitize filters
ID | Name | Flags | Description |
---|---|---|---|
FILTER_SANITIZE_EMAIL |
"email" |
Remove all characters except letters, digits and
!#$%&'*+-=?^_`{|}~@.[] .
|
|
FILTER_SANITIZE_ENCODED |
"encoded" |
FILTER_FLAG_STRIP_LOW ,
FILTER_FLAG_STRIP_HIGH ,
FILTER_FLAG_STRIP_BACKTICK ,
FILTER_FLAG_ENCODE_LOW ,
FILTER_FLAG_ENCODE_HIGH
|
URL-encode string, optionally strip or encode special characters. |
FILTER_SANITIZE_MAGIC_QUOTES |
"magic_quotes" |
Apply addslashes().
(DEPRECATED as of PHP 7.3.0 and
REMOVED as of PHP 8.0.0,
use FILTER_SANITIZE_ADD_SLASHES instead.)
|
|
FILTER_SANITIZE_ADD_SLASHES |
"add_slashes" | Apply addslashes(). (Available as of PHP 7.3.0) | |
FILTER_SANITIZE_NUMBER_FLOAT |
"number_float" |
FILTER_FLAG_ALLOW_FRACTION ,
FILTER_FLAG_ALLOW_THOUSAND ,
FILTER_FLAG_ALLOW_SCIENTIFIC
|
Remove all characters except digits, +- and
optionally .,eE .
|
FILTER_SANITIZE_NUMBER_INT |
"number_int" | Remove all characters except digits, plus and minus sign. | |
FILTER_SANITIZE_SPECIAL_CHARS |
"special_chars" |
FILTER_FLAG_STRIP_LOW ,
FILTER_FLAG_STRIP_HIGH ,
FILTER_FLAG_STRIP_BACKTICK ,
FILTER_FLAG_ENCODE_HIGH
|
HTML-encode '"<>& and characters with
ASCII value less than 32, optionally strip or encode other special
characters.
|
FILTER_SANITIZE_FULL_SPECIAL_CHARS |
"full_special_chars" |
FILTER_FLAG_NO_ENCODE_QUOTES ,
|
Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can
be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES . Like htmlspecialchars(), this
filter is aware of the default_charset and if a sequence of bytes is detected that
makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string.
When using this filter as a default filter, see the warning below about setting the default flags to 0.
|
FILTER_SANITIZE_STRING |
"string" |
FILTER_FLAG_NO_ENCODE_QUOTES ,
FILTER_FLAG_STRIP_LOW ,
FILTER_FLAG_STRIP_HIGH ,
FILTER_FLAG_STRIP_BACKTICK ,
FILTER_FLAG_ENCODE_LOW ,
FILTER_FLAG_ENCODE_HIGH ,
FILTER_FLAG_ENCODE_AMP
|
Strip tags and HTML-encode double and single quotes, optionally strip
or encode special characters. Encoding quotes can be
disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES .
(Deprecated as of PHP 8.1.0,
use htmlspecialchars() instead.)
|
FILTER_SANITIZE_STRIPPED |
"stripped" | Alias of "string" filter. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.) | |
FILTER_SANITIZE_URL |
"url" |
Remove all characters except letters, digits and
$-_.+!*'(),{}|\\^~[]`<>#%";/?:@&= .
|
|
FILTER_UNSAFE_RAW |
"unsafe_raw" |
FILTER_FLAG_STRIP_LOW ,
FILTER_FLAG_STRIP_HIGH ,
FILTER_FLAG_STRIP_BACKTICK ,
FILTER_FLAG_ENCODE_LOW ,
FILTER_FLAG_ENCODE_HIGH ,
FILTER_FLAG_ENCODE_AMP
|
Do nothing, optionally strip or encode special characters. This
filter is also aliased to FILTER_DEFAULT .
|
When using one of these filters as a default filter either through your ini file
or through your web server's configuration, the default flags is set to
FILTER_FLAG_NO_ENCODE_QUOTES
. You need to explicitly set
filter.default_flags to 0 to have quotes encoded by default. Like this:
Example #1 Configuring the default filter to act like htmlspecialchars
filter.default = full_special_chars
filter.default_flags = 0
Changelog
Version | Description |
---|---|
8.1.0 |
FILTER_SANITIZE_STRING and
FILTER_SANITIZE_STRIPPED have been deprecated.
|
8.0.0 |
FILTER_SANITIZE_MAGIC_QUOTES has been removed.
|
7.3.0 |
FILTER_SANITIZE_ADD_SLASHES was added as a
replacement for FILTER_SANITIZE_MAGIC_QUOTES
|
7.3.0 |
FILTER_SANITIZE_MAGIC_QUOTES has been deprecated.
|