What are You Looking For?

Montasser Mossallem
onApril 13, 2025

PHP filter_input_array: How to Clean and Validate Input

PHP filter_input_array
3 min read

The filter_input_array() filters multiple inputs in PHP at once. It helps you to clean and validate data.

Understand the filter_input_array Function

The filter_input_array() in PHP filters multiple inputs from GET, POST, COOKIE, SERVER, or ENV.

It applies validation and sanitization rules to each input based on a provided filter.

This function helps clean user data and reduce security risks like XSS and SQL injection. It also simplifies input handling that happens when processes multiple variables at once.

The syntax for filter_input_array() in PHP:

filter_input_array($type, $options, $add_empty)

Here are the parameters:

  • $type – The input type (INPUT_GET, INPUT_POST, INPUT_COOKIE, INPUT_SERVER, INPUT_ENV).
  • $options – An array of filters or a single filter for all inputs.
  • $add_empty – If true, missing keys return null. If false, missing keys are removed.

It returns:

  • An array of filtered values.
  • false if the input type is invalid.
  • null if no variables match.

Here is an example:

$options = [
    'name'  => FILTER_SANITIZE_STRING,
    'email' => FILTER_VALIDATE_EMAIL,
    'age'   => [
        'filter' => FILTER_VALIDATE_INT,
        'options' => ['min_range' => 18, 'max_range' => 100]
    ]
];

$input = filter_input_array(INPUT_POST, $options);

if ($input) {
    print_r($input);
} else {
    echo "Invalid input.";
}

Output:

Invalid input.

Here is how it works:

  • name is sanitized to remove unwanted characters.
  • email is validated as a proper email format.
  • age is validated as an integer within 18-100.
  • The function processes all inputs at once and reduces manual validation.

The Difference Between filter_input_array() and filter_var_array() in PHP

Here is a table that shows you the difference between them:

Featurefilter_input_array()filter_var_array()
Source of DataFetches and filters input directly from $_GET, $_POST, $_COOKIE, etc.Filters an existing array of data.
UsageUsed when retrieving and filtering user input.Used when filtering data already stored in a variable.
Input TypesRequires an input type (INPUT_GET, INPUT_POST, etc.).Works with any associative array.
SecurityHelps prevent using untrusted global variables.Requires manual handling of input sources.
Examplefilter_input_array(INPUT_POST, $filters);filter_var_array($data, $filters);

Example for filter_input_array function:

$options = [
    'name'  => FILTER_SANITIZE_STRING,
    'email' => FILTER_VALIDATE_EMAIL
];

$input = filter_input_array(INPUT_POST, $options);

Example for filter_var_array function:

$data = ['name' => '<h1>John</h1>', 'email' => 'invalid-email'];
$options = [
    'name'  => FILTER_SANITIZE_STRING,
    'email' => FILTER_VALIDATE_EMAIL
];

$filtered = filter_var_array($data, $options);

print_r($filtered);

Output:

Array
(
    [name] => John
    [email] => 
)

Use filter_input_array() if you need to fetch and filter input directly from user requests. Use filter_var_array() when you need to filter an existing array of data.

Custom filter_input_array in PHP

You can implement a custom filter_input_array() using the FILTER_CALLBACK filter. This lets you build your own function for the input data.

For example:


function sanitize_name($value) {
    return preg_replace("/[^a-zA-Z\s]/", "", $value); 
}


$options = [
    'name'  => ['filter' => FILTER_CALLBACK, 'options' => 'sanitize_name'],
    'email' => FILTER_VALIDATE_EMAIL,
    'age'   => [
        'filter' => FILTER_VALIDATE_INT,
        'options' => ['min_range' => 18, 'max_range' => 100]
    ]
];


$input = filter_input_array(INPUT_POST, $options);

if ($input) {
    print_r($input);
} else {
    echo "Invalid input.";
}

Output:

Invalid input.

Here is how it works:

  • The sanitize_name() function removes special characters from names.
  • FILTER_CALLBACK allows you to use a custom function for filtering.
  • FILTER_VALIDATE_EMAIL and FILTER_VALIDATE_INT handle validation for email and age.
  • filter_input_array() applies these rules to $_POST data.

How to Handle Input Fields within filter_input_array in PHP

filter_input_array() helps you to validate and sanitize multiple input fields at once. Follow these steps to handle input fields safely.

Here is how to define the rules of filtration:

$options = [
    'username' => FILTER_SANITIZE_STRING,  
    'email'    => FILTER_VALIDATE_EMAIL,  
    'age'      => [
        'filter'  => FILTER_VALIDATE_INT,
        'options' => ['min_range' => 18, 'max_range' => 100]
    ],
    'bio'      => FILTER_SANITIZE_FULL_SPECIAL_CHARS 
];

Use filter_input_array() to get and filter input:

$input = filter_input_array(INPUT_POST, $options);

Handle validation results:

if ($input) {
    if (!$input['email']) {
        echo "Invalid email.";
    } elseif (!$input['age']) {
        echo "Age must be between 18 and 100.";
    } else {
        print_r($input); // Process valid input
    }
} else {
    echo "No valid input received.";
}

Here is the output:

No valid input received.

Wrapping Up

In this article, you learned how filter_input_array() works and why you have to use them when you handle multiple inputs securely.

You also saw the difference between filter_input_array() and filter_var_array(). And also how to create custom filters

Here is a quick recap:

  • filter_input_array() filters multiple inputs at once from GET, POST, or other sources.
  • It applies sanitization and validation rules to prevent security risks.
  • filter_input_array() retrieves data directly, while filter_var_array() filters an existing array.
  • You can use FILTER_CALLBACK for custom filtering.
  • Proper input handling ensures safe and clean data processing.

Thank you for reading. Click here to see more PHP tutorials.

FAQ’s

What is filter_input_array() in PHP?

filter_input_array() filters multiple inputs from GET, POST, COOKIE, SERVER, or ENV at once. It applies validation and sanitization rules to prevent security risks like XSS and SQL injection.

What is the difference between filter_input_array() and filter_var_array()?

filter_input_array() retrieves and filters input directly from sources like $_POST or $_GET. filter_var_array() filters an existing array of data. Use filter_input_array() for user input and filter_var_array() when working with stored data.

How do I use filter_input_array() in PHP?

Define an array of filters and apply them to user input: 
$options = [
    'name'  =&amp;amp;amp;amp;amp;gt; FILTER_SANITIZE_STRING,
    'email' =&amp;amp;amp;amp;amp;gt; FILTER_VALIDATE_EMAIL
];
$input = filter_input_array(INPUT_POST, $options);
This ensures only clean data enters your application.

Can I use a custom function with filter_input_array()?

Yes, use FILTER_CALLBACK to apply a custom function: 
function sanitize_name($value) {
    return preg_replace("/[^a-zA-Z\s]/", "", $value);
}
$options = [
    'name' =&amp;amp;amp;amp;amp;gt; ['filter' =&amp;amp;amp;amp;amp;gt; FILTER_CALLBACK, 'options' =&amp;amp;amp;amp;amp;gt; 'sanitize_name']
];
$input = filter_input_array(INPUT_POST, $options);
This allows advanced filtering beyond built-in options.

How do I validate multiple input fields with filter_input_array()?

Use an array of filters and handle the validation results: 
$options = [
    'username' =&amp;amp;amp;amp;amp;gt; FILTER_SANITIZE_STRING,
    'email'    =&amp;amp;amp;amp;amp;gt; FILTER_VALIDATE_EMAIL
];
$input = filter_input_array(INPUT_POST, $options);
if (!$input['email']) {
    echo "Invalid email.";
} else {
    print_r($input);
}
This ensures all inputs meet security and formatting requirements.
Montasser Mossallem
onApril 13, 2025
Share
Previous Article

PHP filter_input: How to Validate Input Securely

Next Article

PHP filter_id Function: How to Retrieve PHP Filter IDs

Write a Comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Read Next

filter_id in PHP
Montasser Mossallem
onApril 14, 2025

PHP filter_id Function: How to Retrieve PHP Filter IDs

Before PHP 5.2, there was no built-in filter extension in PHP. You had to manually handle and sanitize input. PHP 5.2 added a filter system,…
PHP filter_var function
Montasser Mossallem
onApril 14, 2025

PHP filter_var: Understand How to Sanitize Input

PHP didn’t have a way to check or clean user input. Developers used scattered code—some wrote custom checks, others used regular expressions.…
PHP filter_has_var
Montasser Mossallem
onApril 15, 2025

filter_has_var Function: Check if Input Exists in PHP

User input does not always come through as expected. Sometimes values are missing or not set at all. This can lead to errors when your code…

Subscribe to Get Updates

Get the latest updates on Coding, Database, and Algorithms straight to your inbox.
No spam. Unsubscribe anytime.