The names accepted by filter_id() are names of filters provided by the filter extension. They should not be treated as general-purpose validation rule names.
For example, "validate_email" is a validation filter, while "email" is a sanitization filter:
<?php
var_dump(filter_id('validate_email') === FILTER_VALIDATE_EMAIL); var_dump(filter_id('email') === FILTER_SANITIZE_EMAIL); var_dump(filter_var('not an email', filter_id('validate_email'))); var_dump(filter_var('not an email', filter_id('email'))); ?>
This distinction matters when filter names come from configuration or a schema. If only validation is intended, consider using an application-level allow-list instead of passing arbitrary names directly to `filter_id()`:
<?php
function validation_filter_id(string $name): int
{
return match ($name) {
'email' => FILTER_VALIDATE_EMAIL,
'url' => FILTER_VALIDATE_URL,
'int' => FILTER_VALIDATE_INT,
'float' => FILTER_VALIDATE_FLOAT,
'bool', 'boolean' => FILTER_VALIDATE_BOOLEAN,
'ip' => FILTER_VALIDATE_IP,
'domain' => FILTER_VALIDATE_DOMAIN,
'mac' => FILTER_VALIDATE_MAC,
'regexp' => FILTER_VALIDATE_REGEXP,
default => throw new InvalidArgumentException(
"Unknown validation filter: {$name}"
),
};
}
$filter = validation_filter_id('email');
var_dump(filter_var('user@example.com', $filter)); var_dump(filter_var('not an email', $filter)); ?>