by

You may have noticed that I have mentioned in one of my previous articles that PHP's biggest weakness lies in its simplicity. But don't for one second get me wrong - I am a PHP developer, and I will be until the day I die. But there is good code, and there is bad code. This article will teach you how to ensure that your code falls into the good category.
Perhaps some of the most amusing discussions I have seen in developer forums are the ones debating whether PHP is a "REAL" programming language or not. Apparently it is said that PHP will never have the power of Java, because PHP is a loosely typed language. Well, yeah. What you do need to remember though is that PHP was never designed to be a clone of Java. PHP is not a solid-state system. It runs for a fraction of a second--while the page is loading--and then it stops running. That is it. This is the reason that there are things like GET, POST and SESSION in PHP: in a non-solid-state system you need to carry information from one page to the next. So PHP does what it was designed to do. Now the point i'm trying to make here is that yes, PHP is a loosely typed language--IF YOU CODE IT TO BE LIKE THAT. It is up to the person designing and implementing the system to decide from the beginning whether he is going to do this properly or not. The same applies to your validation techniques.
Validation is perhaps the most important thing you can do on a website. Forgetting to validate absolutely every part of your website or application that interacts with a user is probably the most common mistake you can make. I know from my own experience that validation can be a pain. Usually in my mind this huge grapevine of a SWITCH starts to emerge whenever someone starts talking about validation. If that is happening to you right now, sit back and relax: PHP has built-in validation functions just ready for you to use.
PHP Filters are an extention of PHP that help you to easily - and reliably - validate variables and strings, so that you will hopefully never have something like this happening again:
<?php
 
include($_GET['filename']);

?>
or, even worse,
<?php 

mysql_query("INSERT INTO table (field) VALUES ({$_POST['value']})");

?>
Filtering Variables
To use the filter extention to filter variables, you use the filter_var() function. Let us try to validate the following as in integer, for example.
$variable = 1122;

echo filter_var($variable, FILTER_VALIDATE_INT);
The result of the code will echo "1122" because the variable type was found to be an integer. If the variable entered was "a344" nothing would be printed to the screen because the validation failed.
Ok, ok, i see you saying that is a pretty neat trick and all that. But there's more. Lets say we want to make sure our variable is an integer and has a value more than 5 and less than 10. How would we do that?
<?php

$variable = 6;
$minimum_value = 5;
$maximum_value = 10;

echo filter_var($variable, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$minimum_value, "max_range"=>$maximum_value)));
?>
So, should the variable be within the limits--as it is in the above example--the number 6 will be echoed onto the screen.
PHP also provides a really good way of checking float values--especially useful for those of us who are building shopping carts and need to check that values have two decimal places. The example below will echo "31.53 is a valid floating point numer".
<?php

$num = 31.53;

if(filter_var($num, FILTER_VALIDATE_FLOAT) === false)
{
	echo $num." is not valid!";
}
else
{
    echo $num." is a valid floating point number";
}

?>
Ever tried to validate a URL? If not, it's best that you read RFC1738 - Uniform Resource Locators (URL) first, then open up your php text editor and write a class that basically describes the 2000 odd lines of text, right?

Well, no. Actually PHP can do this automatically with the URL filter.
<?php

$url = "http://www.somewebsite.domain";

if(filter_var($url, FILTER_VALIDATE_URL) === FALSE)
{
	echo $url." is not a valid URL<br />";
}
else
{
	echo  $url." is a valid URL<br />";
}

?>
"http://www.somewebsite.domain is a valid URL" is the response I get.
Now on to something that used to irritate me to no avail: email address validation. It's one of these things you need to check against a regular expression, right? Wrong. PHP's FILTER_VALIDATE_EMAIL does that in a simple way, without even breaking a sweat. Here goes:
<?php

$email = "marc@somehost.com";

if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE)
{
	echo $email." is invalid";
}
else
{
	echo $email." is valid";
}

?>
Now don't you think that is worth it on its own? Email validation can be a major headache, especially for beginners, so in my opinion this is a little blessing in disguise.
But there's more. Let's run through a few things. Need to remove HTML tags from a string. How about this?
<?php

$string = "<p>text</p>";

echo filter_var($string, FILTER_SANITIZE_STRING);

?>
The result is that it will simply echo "text" without the tags.
Conclusion
What we have looked at here are a few examples of what we can do with PHP FILTERS. Of course it is important to validate your code--we ALL know that. But actually doing it is another story. I suppose thart this just gives you, the coder, whether you are a novice or an expert--a way of being sure something is being done to help your code in its journey from bad coding to good coding. May your code be the best that it can be!
Until next time,

Marc Steven Plotz