The PHP Filter Extension exists to help deal with external input, which is any data that does not originate inside your script itself. This includes form submissions, cookies, URLs, web services, and even values coming from databases. External data is considered insecure by default, because it may be malformed, unexpected, or intentionally crafted to cause problems.

PHP filters address this by offering two distinct operations: validation and sanitization. Validation checks whether a value matches a required format or rule, such as being a valid email address, URL, integer, or IP address. Validation does not change the value. If the value does not meet the rule, the filter returns false. Sanitization, on the other hand, actively modifies the value by removing characters that are considered illegal for a specific format. Sanitization always attempts to return a cleaned version of the input.

The filter extension provides several functions to work with external data. The most commonly used one is filter_var(), which applies a filter directly to a variable. filter_input() retrieves an external input value (for example from GET or POST) and filters it in one step. filter_var_array() applies filters to multiple values at once when working with arrays. filter_list() returns a list of all supported filters available in PHP, and filter_id() can be used to retrieve the numeric ID of a filter by name.

The filter_list() function is useful for discovering which filters exist. It returns an array of filter names, which can be looped over to display both the filter name and its corresponding ID using filter_id().

The filter_var() function is the core of most filtering tasks. It accepts three parameters: the value to filter, the filter to apply (either by name or ID), and optional flags or options that modify the filter’s behavior. Depending on the filter type, it will either return the filtered value or false.

Filters fall into two main categories. Validation filters verify that data matches a specific format and return false if it does not. Examples include FILTER_VALIDATE_EMAIL, FILTER_VALIDATE_URL, FILTER_VALIDATE_INT, and FILTER_VALIDATE_IP. Sanitization filters remove characters that are not allowed for a given format and may change the original value. Examples include FILTER_SANITIZE_EMAIL, FILTER_SANITIZE_URL, and FILTER_SANITIZE_NUMBER_INT.

A common pattern when working with user input is to sanitize first and then validate. For example, an email address can be sanitized to remove illegal characters, and then validated to confirm that the resulting value is still a valid email address. The same pattern applies to URLs.

When validating integers, a special case exists for the value 0. filter_var() returns the filtered value on success and false on failure. Because 0 is a valid integer but is also considered falsy in PHP, a simple comparison can mistakenly treat it as invalid. To handle this correctly, strict comparisons must be used so that 0 is accepted as valid while false still represents failure.

IP addresses can also be validated using FILTER_VALIDATE_IP, which checks whether a string is a properly formatted IP address.

The key idea behind PHP filters is that external input must always be validated or sanitized before use. Filters provide a standardized, built-in way to enforce expected formats and reduce the risk of security issues or broken application behavior.

The “Filters Advanced” section builds on basic filtering by showing how filters can be configured with options and flags to enforce more specific rules. Instead of only checking whether a value matches a type, filters can also validate whether the value falls within defined constraints or meets additional conditions.

When validating integers, the filter_var() function can be combined with the options parameter to define a minimum and maximum allowed range. Using FILTER_VALIDATE_INT together with the option keys min_range and max_range allows PHP to confirm that a value is not only an integer, but also falls within a specific numeric interval. If the value is outside the range or not an integer, filter_var() returns false. If it is valid, it returns the integer itself.

The options parameter is passed as an array, because filters may accept multiple configuration values. For integer validation, PHP automatically recognizes min_range and max_range as predefined option keys. These keys are specific to FILTER_VALIDATE_INT and are not arbitrary; PHP internally knows which options apply to which filters.

Filters can also be modified using flags, which change how a filter behaves rather than adding value constraints. Flags are passed as constants and act as switches. For example, FILTER_FLAG_IPV6 restricts IP validation to IPv6 addresses only. When used with FILTER_VALIDATE_IP, PHP will accept only IPv6 addresses and reject IPv4 addresses.

Similarly, URL validation can be made stricter using flags. FILTER_FLAG_QUERY_REQUIRED forces FILTER_VALIDATE_URL to accept only URLs that contain a query string. A URL that is otherwise valid but does not include a query part will fail validation when this flag is applied.

Sanitization filters can also be combined with flags. FILTER_SANITIZE_STRING removes HTML tags from a string, and when combined with FILTER_FLAG_STRIP_HIGH, it also removes characters with ASCII values greater than 127. This is useful when only basic ASCII characters should be allowed, such as in systems that must avoid extended or non-Latin characters.

In all advanced cases, filter_var() continues to follow the same return rules: it returns the filtered value on success and false on failure. Because of this, strict comparisons against false are still required to correctly distinguish between valid values and failed validation.

The key idea of advanced filtering is that validation rules can be declared directly inside the filter configuration. Options define boundaries and limits on acceptable values, while flags adjust how strictly the filter operates. This allows input validation to remain concise, expressive, and centralized without additional conditional logic.