filter.default_options INI settings are deprecated
The PHP INI setting
filter.default can be used to define a filter, that is automatically applied to PHP super-globals (
$_SERVER). Additional flags to the defined filter can be passed with the
filter.default_flags INI setting.
By default, the
filter.default value is set to
filter.default=unsafe_raw, which effectively avoided applying a filter on super-globals.
This feature is similar to the now-removed Magic quotes, which provided a less reliable and inconsistent approach to sanitize user input.
filter.default_flags INI settings, it is possible to bring back the magic-quotes feature, and it can lead to unpredictable and often insecure user input sanitization:
From PHP 8.1 and later, setting the
filter.default value to any filter string value other than
unsafe_raw emits a PHP deprecation notice at start-up time. The
filter.default_flags values cannot be set at run-time.
Deprecated: The filter.default ini setting is deprecated in ... on line ...
filter.default_flags INI setting in particular does not emit deprecated notices, although it is discouraged and will be removed along with
From PHP 9.0, both
filter.default_flags INI directives will be removed.
Relying on PHP's
filter.default to sanitize user-input is discouraged because it leads to unpredictable and double string sanitization.
Depending on the context, it requires different string sanitization methods, such as parameterized SQL queries, HTML special character neutralization, allow-listed HTML attributes, file extension validation, etc.
The filters applied with the
filter.default INI setting can be applied directly using the
$safe_html = filter_var($user_input_string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
A complete list of named filters and their PHP constant values are available at sanitize filters page.
Backwards Compatibility Impact
filter.default_flags INI settings continue to work, despite the deprecation notice.
These two INI settings will be removed in PHP 9.0.