Welcome to the Treehouse Community

Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community! While you're at it, check out some resources Treehouse students have shared here.

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.

Start your free trial

PHP Build a Basic PHP Website (2018) Adding a Basic Form Validating Form Data

James Barrett
James Barrett
13,253 Points
Posted by James Barrett
James Barrett
13,253 Points

So what exactly dos filter_input do?

Not sure what exactly this function is doing to the variables. I understand it is for validation against malicious spammers - but how is it stopping them?

3 Answers

Murat Hasdemir
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Murat Hasdemir
Front End Web Development Techdegree Graduate 20,968 Points
Murat Hasdemir
.a{fill-rule:evenodd;}techdegree seal-36
Murat Hasdemir
Front End Web Development Techdegree Graduate 20,968 Points

filter_input method strip variable to its core. you can see it like this

            $email="    someone%someone.com    ";

            $email=trim(filter_var($_POST["email"], FILTER_SANITIZE_EMAIL));

            trim function takes white spaces from start and end 
            so $email ="someone%someone.com"; after trim;
            and filter_var checks if the variable in right syntax 
            so it looks some thing like "abc@def.com" when it see
             "%" instead "@" it flags variable as false.

for integer it strips all a-z and punctuation from variable,
for string it strips all special character for php programming like " ' $ .*/:etc.

and before that course ends you will see cross site scripting and understand why this method is a good way to start.

Shafeeq Ahmed
Shafeeq Ahmed
6,058 Points
Shafeeq Ahmed
Shafeeq Ahmed
6,058 Points

So the filter_input 's purpose is to stripe done a variable to it's core. Not to prevent from attacks. Am I right ?

Murat Hasdemir
seal-mask
.a{fill-rule:evenodd;}techdegree seal-36
Murat Hasdemir
Front End Web Development Techdegree Graduate 20,968 Points
Murat Hasdemir
.a{fill-rule:evenodd;}techdegree seal-36
Murat Hasdemir
Front End Web Development Techdegree Graduate 20,968 Points

Shafeeq its actually prevents. You can think it as a lock and key if the lock crafted good only special key can open it and system work like that in filter_var() its a key which change string to only string or integer to only integer. Most of time this change can save you from to much headache like basic sql injections. On the other hand have to say there are too many types of attacks out there some can be deflected by this some need more knowledge of programming but to be honest filter_var can not be solution on its own using right permission to right processes one more important thing like don't use any write and read permissions on same database user (to make things clear database user is part of program which is a middle man between your human user and database you will understand if using databases).

And lastly security on programming is a fully developed industry but if you need more information (and wanna get more paranoiac about security) you can read or listen about sql injections.

Andrew G
Andrew G
7,541 Points
Andrew G
Andrew G
7,541 Points

This kind of validation certainly helps and is a first line of defense, but to be more fool proof, techniques such as a Web Application firewall, server configuration, a properly configured .htaccess file, and even a secure CDN/proxy that can run a JS challenge (for specific IP addresses or locations) to verify that a client is accessing your site via browser will be most effective.