You Should Be Using PHP Filtering Functions, Part 2

In the previous post, I talked about the reasons using PHP filtering functions is more useful rather than not.

In short, doing so helps to provide a level of validation that’s built into the language so that we don’t have to re-write something. Naturally, there are caveats.

For example, if you’re having to validate a value that is of non-Latin characters, then you’re going to go have to go it alone and implement validation with perhaps a regular expression.

But if you’re using email addresses, URLs, numbers, IP addresses, and so many more things, then you’re in a good position to use something that already exists.

Anyway, all of the above is still about filtering variables. What about inputs, though? That is, those that come from $_POST or $_GET. It’s possible to use a similar strategy with a different function and different filter set.

But if you understand the basics presented in the last post, then this post will not be very different.

PHP Filtering Functions, Part 2: Inputs

Filtering inputs is done by the filter_input function. The definition for this specific function is:

Gets a specific external variable by name and optionally filters it

The PHP Manual

And, like mentioned last time, this sounds a little weird until you understand what the filters are. Luckily, we covered this in the previous post. And though this post is going to focus specifically on POST (and very briefly GET).

There are other filters though. And these include:

  • INPUT_COOKIE
  • INPUT_SERVER
  • INPUT_ENV

Anyway, since the two most common operations that I tend to see in WordPress include POST and GET, then it seems important to include these two here.

Using these functions is trivially easy. Assume that you have a value coming from something the user has provided in a form and they are submitting it to the server using a POST request with a key such as firstname.

The code to verify it may look something like this:

  • filter_input(INPUT_POST, 'firstname');

Which is easy enough to understand because it simply takes the key, filters it, and then returns a value. And since it returns a value, then we can set up a guard clause before moving forward with any more work:

if (false === filter_input(INPUT_POST, 'firstname')) {
  return;
}

If all checks out then we can move forward doing whatever we need to do with the user information. Perhaps we need to associate it with the current post for whatever reason:

if (false === filter_input(INPUT_POST, 'firstname')) {
  return;
}

$firstname = filter_input(INPUT_POST, 'firstname');
update_post_meta(get_the_ID(), 'acme-firstname', $firstname);

// Other code you may use...

Further, you can secure information even more through the use of the various filters that exist. These are passed as a third parameter to the filter_input function.

And What About GET?

The nice thing about this function is that, generally speaking, the same rules hold true as they do with POST except rather than using INPUT_POST, you’ll use INPUT_GET.

And then you can work through your code however best suits the needs of your project.

Security, Nonces, etc.

Remember, this is not something to be used in place of security. This is purely for the purposes of securing data before doing anything with it.

Don’t replace the verification of nonce values just because you’re verifying data differently.

Variables and Inputs

Remember, though these functions are very similar variables and inputs are different. In other words, don’t try to use filter_var when you’re working with input coming from the user or the browser. Use it whenever you’re working with variables. And, similarly, use ht e