SunshinePHP Developer Conference 2015

検証フィルタ

検証用のフィルタの一覧
ID 名前 オプション フラグ 説明
FILTER_VALIDATE_BOOLEAN "boolean" default FILTER_NULL_ON_FAILURE

"1"、"true"、"on" および "yes" の場合に TRUE、 それ以外の場合に FALSE を返します。

FILTER_NULL_ON_FAILURE が設定されている場合は、 FALSE が返されるのは "0"、"false"、"off"、"no" および "" の場合のみとなります。 boolean 以外の値については NULL を返します。

FILTER_VALIDATE_EMAIL "validate_email" default   値が e-mail 形式であるかどうかを検証します。
FILTER_VALIDATE_FLOAT "float" default, decimal FILTER_FLAG_ALLOW_THOUSAND 値が float であるかどうかを検証します。
FILTER_VALIDATE_INT "int" default, min_range, max_range FILTER_FLAG_ALLOW_OCTAL, FILTER_FLAG_ALLOW_HEX 値が整数であるかどうか、オプションで指定した範囲内にあるかどうかを検証します。
FILTER_VALIDATE_IP "validate_ip" default FILTER_FLAG_IPV4, FILTER_FLAG_IPV6, FILTER_FLAG_NO_PRIV_RANGE, FILTER_FLAG_NO_RES_RANGE 値が IP アドレスであるかどうかを検証します。 オプションで IPv4 あるいは IPv6 のみの指定、 プライベートアドレスや予約済みアドレスではないことの指定もできます。
FILTER_VALIDATE_REGEXP "validate_regexp" default, regexp   値が、Perl 互換の 正規表現 regexp に一致するかどうかを検証します。
FILTER_VALIDATE_URL "validate_url" default FILTER_FLAG_PATH_REQUIRED, FILTER_FLAG_QUERY_REQUIRED 値が URL 形式である (» http://www.faqs.org/rfcs/rfc2396 に準拠している) かどうか、 オプションで、必須コンポーネントが含まれているかどうかを検証します。 妥当な URL が、HTTP プロトコル http:// を指定しているとは限りません。 つまり、その URL が期待通りのプロトコル (ssh://mailto: など) を使っているかどうか、さらなる検証が必要だということです。 この関数は、ASCII の URL のみを正しいとみなすことに注意しましょう。 国際化ドメイン名 (非 ASCII 文字を含むもの) は失敗します。

注意:

PHP 5.4.11 移行、数値 +0 および -0 はどちらも、整数としても float としても有効と見なされるようになりました (FILTER_VALIDATE_FLOATFILTER_VALIDATE_INT を使った場合)。 それより前のバージョンでは、(FILTER_VALIDATE_FLOAT を使った場合に)float としてしか有効と見なされませんでした。

オプションに default を設定すると、値が検証されなかったときに default の値を使います。

add a note add a note

User Contributed Notes 10 notes

up
13
bee kay two at em ee dot com
2 years ago
Notably missing is a way to validate text entry as printable,
printable multiline,
or printable and safe (tag free)

FILTER_VALIDATE_TEXT, which validates no special characters
perhaps with FILTER_FLAG_ALLOW_NEWLINE
and FILTER_FLAG_NOTAG to disallow tag starters
up
8
boy at relaxnow dot nl
2 years ago
FILTER_VALIDATE_URL does not work with URNs, examples of valid URIs according to RFC3986 and if they are accepted by FILTER_VALIDATE_URL:

[PASS] ftp://ftp.is.co.za.example.org/rfc/rfc1808.txt
[PASS] gopher://spinaltap.micro.umn.example.edu/00/Weather/California/Los%20Angeles
[PASS] http://www.math.uio.no.example.net/faq/compression-faq/part1.html
[PASS] mailto:mduerst@ifi.unizh.example.gov
[PASS] news:comp.infosystems.www.servers.unix
[PASS] telnet://melvyl.ucop.example.edu/
[PASS] http://www.ietf.org/rfc/rfc2396.txt
[PASS] ldap://[2001:db8::7]/c=GB?objectClass?one
[PASS] mailto:John.Doe@example.com
[PASS] news:comp.infosystems.www.servers.unix
[FAIL] tel:+1-816-555-1212
[PASS] telnet://192.0.2.16:80/
[FAIL] urn:oasis:names:specification:docbook:dtd:xml:4.1.2
up
5
Bastien
1 year ago
Rejection of so-called partial domains because of "missing" dot is not following section 2.3.5 of RFC 5321.

It says FQDNs are permitted, and com, org, or va are (well, may be) valids FQDNs. It depends on DNS, not on syntax.

Some TDLs (although few of them) have MX RRs, the for example "abuse@va" is correct.
up
4
php dot net at piskvor dot org
3 years ago
FILTER_VALIDATE_EMAIL is discarding valid e-mail addresses containing IDN. Since there are real, live IDNs on the Internet, that means the filtered output is too strict, leading to false negatives.

Punycode-encoded IDN addresses pass the filter correctly; so before checking for validity, it is necessary to convert the e-mail address to punycode.
up
3
rowan dot collins at gmail dot com
1 year ago
Regarding "partial" addresses with no . in the domain part, a comment in the source code (in ext/filter/logical_filters.c) justifies this rejection thus:

     * The regex below is based on a regex by Michael Rushton.
     * However, it is not identical.  I changed it to only consider routeable
     * addresses as valid.  Michael's regex considers a@b a valid address
     * which conflicts with section 2.3.5 of RFC 5321 which states that:
     *
     *   Only resolvable, fully-qualified domain names (FQDNs) are permitted
     *   when domain names are used in SMTP.  In other words, names that can
     *   be resolved to MX RRs or address (i.e., A or AAAA) RRs (as discussed
     *   in Section 5) are permitted, as are CNAME RRs whose targets can be
     *   resolved, in turn, to MX or address RRs.  Local nicknames or
     *   unqualified names MUST NOT be used.
up
4
Clifton
3 years ago
FILTER_VALIDATE_EMAIL does NOT allow incomplete e-mail addresses to be validated as mentioned by Tomas.

Using the following code:

<?php
$email
= "clifton@example"; //Note the .com missing
echo "PHP Version: ".phpversion().'<br>';
if(
filter_var($email, FILTER_VALIDATE_EMAIL)){
    echo
$email.'<br>';
   
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}else{
   
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));   
}
?>

Returns:
PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.
bool(false)

While the following code:

<?php
$email
= "clifton@example.com"; //Note the .com added
echo "PHP Version: ".phpversion().'<br>';
if(
filter_var($email, FILTER_VALIDATE_EMAIL)){
    echo
$email.'<br>';
   
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}else{
   
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));   
}
?>

Returns:
PHP Version: 5.2.14 //On MY server, may be different depending on which version you have installed.
clifton@example.com
string(16) "clifton@example.com"

This feature is only available for PHP Versions (PHP 5 >= 5.2.0) according to documentation. So make sure your version is correct.

Cheers,
Clifton
up
-1
Tom
2 years ago
Be aware!

In contrary to what the docs say (at least in PHP 5.3.1), this line:

$value = filter_var(FALSE, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);

Will return NULL - not false. In other words: a boolean FALSE is not considered a valid boolean value by this function.

Also:

$value = filter_var("", FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);

Will also return NULL - no matter what the docs say. So (string) FALSE is not considered a valid boolean input either.

Thus be aware the that correct usage/workaround for this filter is:

if (!is_bool($value)) {
    $value= filter_var($value, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE);
}

For those of you who feel this is counterintuitive, note that there is an issue filed for this in the bug-tracker.
So you might want to follow the discussion there or vote for issue #49510.
up
-4
php at sethsyberg dot com
3 years ago
When validating floats, you must use the Identical/Not identical operators for proper validation of zeros:

This will not work as expected:
<?php
$x
= 0;
if (!
filter_var($x, FILTER_VALIDATE_FLOAT)) {
    echo
"$x is a valid float";
} else {
    echo
"$x is NOT a valid float";
}
?>

This will work as expected:
<?php
$x
= 0;
if (
filter_var($x, FILTER_VALIDATE_FLOAT)!== false) {
    echo
"$x is a valid float";
} else {
    echo
"$x is NOT a valid float";
}
?>
up
-6
chastell at chastell dot net
3 years ago
example@example is a perfectly valid email address – I use chastell@localhost and chastell@devielle (my computer’s name) email addresses all the time and they get delivered just fine.
up
-5
Griff
3 years ago
<< FILTER_VALIDATE_EMAIL allows incomplete e-mail addresses to be validated, for examle john@gmail will validate as a proper e-mail address >>

"Plain" hostnames with no dots are valid in email addresses -
for example, "me@localhost".
To Top