PHP 8.5.8 Released!

filter_var_array

(PHP 5 >= 5.2.0, PHP 7, PHP 8)

filter_var_arrayGets multiple variables and optionally filters them

Description

function filter_var_array(array $array, array|int $options = FILTER_DEFAULT, bool $add_empty = true): array|false|null

Filter an associative array of values using FILTER_VALIDATE_* validation filters, FILTER_SANITIZE_* sanitization filters, or custom filters.

Parameters

array
An associative array containing the data to filter.
options
Either an associative array of options, or the filter to apply to each entry, which can either be a validation filter by using one of the FILTER_VALIDATE_* constants, or a sanitization filter by using one of the FILTER_SANITIZE_* constants. The option array is an associative array where the key corresponds to a key in the data array and the associated value is either the filter to apply to this entry, or an associative array describing how and which filter should be applied to this entry. The associative array describing how a filter should be applied must contain the 'filter' key whose associated value is the filter to apply, which can be one of the FILTER_VALIDATE_*, FILTER_SANITIZE_*, FILTER_UNSAFE_RAW, or FILTER_CALLBACK constants. It can optionally contain the 'flags' key which specifies and flags that apply to the filter, and the 'options' key which specifies any options that apply to the filter.
add_empty

Add missing keys as null to the return value.

Return Values

An array containing the values of the requested variables on success, or false on failure. An array value will be false if the filter fails, or null if the variable is not set.

Examples

Example #1 A filter_var_array() example

<?php

$data = [
    'product_id' => 'libgd<script>',
    'component'  => '10',
    'versions'   => '2.0.33',
    'testscalar' => ['2', '23', '10', '12'],
    'testarray'  => '2',
];

$filters = [
    'product_id'   => FILTER_SANITIZE_ENCODED,
    'component'    => [
        'filter'   => FILTER_VALIDATE_INT,
        'flags'    => FILTER_FORCE_ARRAY,
        'options'  => [
            'min_range' => 1,
            'max_range' => 10,
        ],
    ],
    'versions'     => [
        'filter' => FILTER_SANITIZE_ENCODED
    ],
    'testscalar'   => [
        'filter' => FILTER_VALIDATE_INT,
        'flags'  => FILTER_REQUIRE_SCALAR,
    ],
    'testarray'    => [
        'filter' => FILTER_VALIDATE_INT,
        'flags'  => FILTER_FORCE_ARRAY,
    ],
    'doesnotexist' => FILTER_VALIDATE_INT,
];

var_dump(filter_var_array($data, $filters));

?>

The above example will output:

array(6) {
  ["product_id"]=>
  string(17) "libgd%3Cscript%3E"
  ["component"]=>
  array(1) {
    [0]=>
    int(10)
  }
  ["versions"]=>
  string(6) "2.0.33"
  ["testscalar"]=>
  bool(false)
  ["testarray"]=>
  array(1) {
    [0]=>
    int(2)
  }
  ["doesnotexist"]=>
  NULL
}

See Also

add a note

User Contributed Notes 5 notes

up
4
Anonymous
3 years ago
To apply the same filter to many params/keys, use array_fill_keys().

<?php
$data = array(
    'product_id'    => 'libgd<script>',
    'component'     => '    10    ',
    'versions'      => '2.0.33',
    'testscalar'    => array('2', '23', '10', '12'),
    'testarray'     => '2',
);
$keys = array(
    'product_id',
    'component',
    'versions',
    'doesnotexist',
    'testscalar',
    'testarray'
);
$options = array(
    'filter' => FILTER_CALLBACK,
    'options' => function ($value) {
        return trim(strip_tags($value));
    },
);
$args = array_fill_keys($keys, $options);
/* Result
$args = array(
    'product_id' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
    'component' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
    'versions' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
    'doesnotexist' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
    'testscalar' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
    'testarray' => array(
        'filter' => FILTER_CALLBACK,
        'options' => function ($value) {
            return trim(strip_tags($value));
        },
    ),
);
*/

$myinputs = filter_var_array($data, $args);
var_dump($myinputs);

Output:

array(6) {
  'product_id' =>
  string(5) "libgd"
  'component' =>
  string(2) "10"
  'versions' =>
  string(6) "2.0.33"
  'doesnotexist' =>
  NULL
  'testscalar' =>
  array(4) {
    [0] =>
    string(1) "2"
    [1] =>
    string(2) "23"
    [2] =>
    string(2) "10"
    [3] =>
    string(2) "12"
  }
  'testarray' =>
  string(1) "2"
}
up
7
eguvenc at gmail dot com
17 years ago
<?php
//an example of simply sanitize an array..

$data = array(
                '<b>bold</b>',
                '<script>javascript</script>',
                'P*}i@893746%%%p*.i.*}}|.dw<?php echo "echo works!!";?>');

$myinputs = filter_var_array($data,FILTER_SANITIZE_STRING);

var_dump($myinputs);

//OUTPUT:
//formarray(3) { [0]=> string(4) "bold" [1]=> string(10) "javascript" [2]=> string(26) "P*}i@893746%%%p*.i.*}}|.dw" }
?>
up
0
masakielastic at gmail dot com
1 day ago
For Web API input validation, it can be useful to separate the application-level validation specification from the low-level PHP filtering API.

Some projects use schema validation libraries to keep validation rules independent from the code that actually executes the validation. The same idea can be applied in a small form with filter_var_array(): define field names and rule names in one array, then convert those rule names into PHP filter descriptors.

<?php

$input = [
    'email' => 'taro@example.com', // valid
    'quantity' => '0',             // invalid: less than 1
];

// Application-level specification.
// It maps input field names to application rule names.
$app_spec = [
    'email' => 'email',
    'quantity' => 'quantity',
];

$filter_descriptors = build_filter_descriptors($app_spec);

$result = filter_var_array($input, $filter_descriptors);

var_dump($result);

function build_filter_descriptors(array $app_spec): array
{
    $filter_descriptors = [];

    foreach ($app_spec as $field => $rule_name) {
        $filter_descriptors[$field] = filter_descriptor_for_rule($rule_name);
    }

    return $filter_descriptors;
}

function filter_descriptor_for_rule(string $rule_name): array
{
    return match ($rule_name) {
        'email' => [
            'filter' => FILTER_VALIDATE_EMAIL,
        ],
        'quantity' => [
            'filter' => FILTER_VALIDATE_INT,
            'options' => [
                'min_range' => 1,
                'max_range' => 10,
            ],
        ],
    };
}
up
0
masakielastic at gmail dot com
1 day ago
FILTER_THROW_ON_FAILURE can be used in each filter descriptor by adding it to the "flags" entry.

<?php

$data = [
    'email' => 'not an email',
    'age' => '20',
];

$filters = [
    'email' => [
        'filter' => FILTER_VALIDATE_EMAIL,
        'flags' => FILTER_THROW_ON_FAILURE,
    ],
    'age' => [
        'filter' => FILTER_VALIDATE_INT,
        'flags' => FILTER_THROW_ON_FAILURE,
        'options' => [
            'min_range' => 0,
            'max_range' => 120,
        ],
    ],
];

try {
    $result = filter_var_array($data, $filters);
} catch (Filter\FilterFailedException $e) {
    echo $e->getMessage(), "\n";
}

?>

When using filter_var_array(), the exception message does not identify which array key failed validation. If you need field-specific validation errors for a form or Web API response, validating each field separately with filter_var() may be easier to handle.

Also note that FILTER_THROW_ON_FAILURE and FILTER_NULL_ON_FAILURE should not be used together.
up
-2
Vee W.
7 years ago
$emails = [
    'a' => 'email1@domain.com',
    'b' => '<email2>@domain.com',
];

$result = filter_var_array($emails, FILTER_SANITIZE_EMAIL);
print_r($result);

// the result will be...
// array('a' => 'email1@domain.com', 'b' => 'email2@domain.com')
To Top