The difference between FILTER_SANITIZE_*
and FILTER_VALIDATE_*
", is that the first attempts to 'convert' an entry into a specific 'secure' format using very specific rules. This modification does not guarantee a valid output. The second one checks if the entry is within the established pattern ( int , e-mail, ip etc).
It is important to consult the documentation before using these constants in conjunction with their functions, as your treatment criteria may be totally different from that provided by the language, see examples below .
FILTER_SANITIZE_NUMBER_INT
Try to convert a string into a number, but the rule used is literally loose, it removes all non-numeric characters (0-9) except for +
, -
and .
that are required to represent negative or fractional numbers. In other words, there is a great chance of a false positive. FILTER_SANITIZE_NUMBER_INT
is a less restrictive version than cast :
$id = (int) $_GET['id'];
Let's say a bank record should be changed, but first let's validate the user's input.
$id = '-aaa3';
$id = filter_var($id, FILTER_SANITIZE_NUMBER_INT); //-3
$id2 = '-++';
$id2 = filter_var($id2, FILTER_SANITIZE_NUMBER_INT); //--+
Output is -3 when conversion failure should be returned.
FILTER_VALIDATE_INT
Checks whether the string is a valid integer number (otherwise it returns false, ie fails), the +
and the -
symbols are only allowed at startup. p>
$id = '3-';
$id = filter_var($id, FILTER_VALIDATE_INT); //false
$id = '-3';
$id = filter_var($id, FILTER_VALIDATE_INT); //-3
Code Review
The question code can start from a wrong premise and pass an incorrect result forward. For example, the 4@2
entry is not a valid integer, by applying FILTER_SANITIZE_NUMBER_INT
to @
will be removed, now making the entry a valid integer ( 42
). The return of the function will be true
, but will this 42 cause any problems ahead?
The major problems with validating an integer are: do not let PHP do the numeric part of the string to avoid generating false positives and check if the input is composed only of numbers (0-9 ) or (+) signs.
is_integer()
is an alias of is_int()
, this function checks whether the type of the variable is int , otherwise returns false
. A valid string returns false
and if any conversion is done there is the problem of just getting the numeric part.
The most suitable and rigid in this case is ctype_digit()
. The function forces a string to be passed, and if it is made up of only numbers (0-9) return true
.
ctype_digit()
has a drawback. If an integer in the range of -128 to 255 is passed, the ASCII code will be interpreted or returned false
. However there is a curious way of converting an entry into string which is to put that value or variable in double quotation marks.
$id = 255;
var_dump(ctype_digit("$id")); //true
var_dump(ctype_digit($id)); //false
Related:
Why is the expression "2 + '6 apples'' equal to 8? p>
"1 ----- 1 - + - 1" is a valid integer value in PHP?