Sanitize filters

List of filters for sanitization
ID Name Flags Description
FILTER_SANITIZE_EMAIL "email"   Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].
FILTER_SANITIZE_ENCODED "encoded" FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH URL-encode string, optionally strip or encode special characters.
FILTER_SANITIZE_MAGIC_QUOTES "magic_quotes"   Apply addslashes(). (DEPRECATED as of PHP 7.3.0 and REMOVED as of PHP 8.0.0, use FILTER_SANITIZE_ADD_SLASHES instead.)
FILTER_SANITIZE_ADD_SLASHES "add_slashes"   Apply addslashes(). (Available as of PHP 7.3.0)
FILTER_SANITIZE_NUMBER_FLOAT "number_float" FILTER_FLAG_ALLOW_FRACTION, FILTER_FLAG_ALLOW_THOUSAND, FILTER_FLAG_ALLOW_SCIENTIFIC Remove all characters except digits, +- and optionally .,eE.
FILTER_SANITIZE_NUMBER_INT "number_int"   Remove all characters except digits, plus and minus sign.
FILTER_SANITIZE_SPECIAL_CHARS "special_chars" FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_HIGH HTML-encode '"<>& and characters with ASCII value less than 32, optionally strip or encode other special characters.
FILTER_SANITIZE_FULL_SPECIAL_CHARS "full_special_chars" FILTER_FLAG_NO_ENCODE_QUOTES Equivalent to calling htmlspecialchars() with ENT_QUOTES set. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. Like htmlspecialchars(), this filter is aware of the default_charset and if a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string. When using this filter as a default filter, see the warning below about setting the default flags to 0.
FILTER_SANITIZE_STRING "string" FILTER_FLAG_NO_ENCODE_QUOTES, FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters. Encoding quotes can be disabled by setting FILTER_FLAG_NO_ENCODE_QUOTES. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)
FILTER_SANITIZE_STRIPPED "stripped"   Alias of "string" filter. (Deprecated as of PHP 8.1.0, use htmlspecialchars() instead.)
FILTER_SANITIZE_URL "url"   Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.
FILTER_UNSAFE_RAW "unsafe_raw" FILTER_FLAG_STRIP_LOW, FILTER_FLAG_STRIP_HIGH, FILTER_FLAG_STRIP_BACKTICK, FILTER_FLAG_ENCODE_LOW, FILTER_FLAG_ENCODE_HIGH, FILTER_FLAG_ENCODE_AMP Do nothing, optionally strip or encode special characters. This filter is also aliased to FILTER_DEFAULT.

Warning

When using one of these filters as a default filter either through your ini file or through your web server's configuration, the default flags is set to FILTER_FLAG_NO_ENCODE_QUOTES. You need to explicitly set filter.default_flags to 0 to have quotes encoded by default. Like this:

Example #1 Configuring the default filter to act like htmlspecialchars

filter.default = full_special_chars
filter.default_flags = 0

Changelog

Version Description
8.1.0 FILTER_SANITIZE_STRING and FILTER_SANITIZE_STRIPPED have been deprecated.
8.0.0 FILTER_SANITIZE_MAGIC_QUOTES has been removed.
7.3.0 FILTER_SANITIZE_ADD_SLASHES was added as a replacement for FILTER_SANITIZE_MAGIC_QUOTES
7.3.0 FILTER_SANITIZE_MAGIC_QUOTES has been deprecated.

add a note

User Contributed Notes

There are no user contributed notes for this page.
To Top