Php/docs/filter.filters.sanitize

PHP Manual
Types of filters
Sanitize filters

Sanitize filters

**List of filters for sanitization**
ID	Name	Flags	Description
`FILTER_SANITIZE_EMAIL`	"email"		Remove all characters except letters, digits and !#$%&'*+-=?^_`{\|}~@.[].
`FILTER_SANITIZE_ENCODED`	"encoded"	`FILTER_FLAG_STRIP_LOW`, `FILTER_FLAG_STRIP_HIGH`, `FILTER_FLAG_STRIP_BACKTICK`, `FILTER_FLAG_ENCODE_LOW`, `FILTER_FLAG_ENCODE_HIGH`	URL-encode string, optionally strip or encode special characters.
`FILTER_SANITIZE_MAGIC_QUOTES`	"magic_quotes"		Apply addslashes().
`FILTER_SANITIZE_NUMBER_FLOAT`	"number_float"	`FILTER_FLAG_ALLOW_FRACTION`, `FILTER_FLAG_ALLOW_THOUSAND`, `FILTER_FLAG_ALLOW_SCIENTIFIC`	Remove all characters except digits, `+-` and optionally `.,eE`.
`FILTER_SANITIZE_NUMBER_INT`	"number_int"		Remove all characters except digits, plus and minus sign.
`FILTER_SANITIZE_SPECIAL_CHARS`	"special_chars"	`FILTER_FLAG_STRIP_LOW`, `FILTER_FLAG_STRIP_HIGH`, `FILTER_FLAG_STRIP_BACKTICK`, `FILTER_FLAG_ENCODE_HIGH`	HTML-escape `'"<>&` and characters with ASCII value less than 32, optionally strip or encode other special characters.
`FILTER_SANITIZE_FULL_SPECIAL_CHARS`	"full_special_chars"	`FILTER_FLAG_NO_ENCODE_QUOTES`,	Equivalent to calling htmlspecialchars() with `ENT_QUOTES` set. Encoding quotes can be disabled by setting `FILTER_FLAG_NO_ENCODE_QUOTES`. Like htmlspecialchars(), this filter is aware of the default_charset and if a sequence of bytes is detected that makes up an invalid character in the current character set then the entire string is rejected resulting in a 0-length string. When using this filter as a default filter, see the warning below about setting the default flags to 0.
`FILTER_SANITIZE_STRING`	"string"	`FILTER_FLAG_NO_ENCODE_QUOTES`, `FILTER_FLAG_STRIP_LOW`, `FILTER_FLAG_STRIP_HIGH`, `FILTER_FLAG_STRIP_BACKTICK`, `FILTER_FLAG_ENCODE_LOW`, `FILTER_FLAG_ENCODE_HIGH`, `FILTER_FLAG_ENCODE_AMP`	Strip tags, optionally strip or encode special characters.
`FILTER_SANITIZE_STRIPPED`	"stripped"		Alias of "string" filter.
`FILTER_SANITIZE_URL`	"url"		Remove all characters except letters, digits and $-_.+!*'(),{}\|\\^~[]`<>#%";/?:@&=.
`FILTER_UNSAFE_RAW`	"unsafe_raw"	`FILTER_FLAG_STRIP_LOW`, `FILTER_FLAG_STRIP_HIGH`, `FILTER_FLAG_STRIP_BACKTICK`, `FILTER_FLAG_ENCODE_LOW`, `FILTER_FLAG_ENCODE_HIGH`, `FILTER_FLAG_ENCODE_AMP`	Do nothing, optionally strip or encode special characters. This filter is also aliased to `FILTER_DEFAULT`.

Warning When using one of these filters as a default filter either through your ini file or through your web server's configuration, the default flags is set to FILTER_FLAG_NO_ENCODE_QUOTES. You need to explicitly set filter.default_flags to 0 to have quotes encoded by default. Like this:

Example #1 Configuring the default filter to act like htmlspecialchars

filter.default = full_special_charsfilter.default_flags = 0

Changelog

Version	Description
5.2.11/5.3.1	Slashes (`/`) are removed by `FILTER_SANITIZE_EMAIL`. Prior they were retained.