PHP 8.1: filter.default and filter.default_options INI settings are deprecated


The PHP INI setting filter.default can be used to define a filter, that is automatically applied to PHP super-globals ($_GET, $_POST, $_COOKIE, $_REQUEST and $_SERVER). Additional flags to the defined filter can be passed with the filter.default_flags INI setting.

By default, the filter.default value is set to filter.default=unsafe_raw, which effectively avoided applying a filter on super-globals.

This feature is similar to the now-removed Magic quotes, which provided a less reliable and inconsistent approach to sanitize user input.

With the filter.default and filter.default_flags INI settings, it is possible to bring back the magic-quotes feature, and it can lead to unpredictable and often insecure user input sanitization:


From PHP 8.1 and later, setting the filter.default value to any filter string value other than unsafe_raw emits a PHP deprecation notice at start-up time. The filter.default and filter.default_flags values cannot be set at run-time.

Deprecated: The filter.default ini setting is deprecated in ... on line ...

The filter.default_flags INI setting in particular does not emit deprecated notices, although it is discouraged and will be removed along with filter.default setting.

From PHP 9.0, both filter.default and filter.default_flags INI directives will be removed.

Suggested Alternative

Relying on PHP's filter.default to sanitize user-input is discouraged because it leads to unpredictable and double string sanitization.

Depending on the context, it requires different string sanitization methods, such as parameterized SQL queries, HTML special character neutralization, allow-listed HTML attributes, file extension validation, etc.

The filters applied with the filter.default INI setting can be applied directly using the filter_var function.

$safe_html = filter_var($user_input_string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);

A complete list of named filters and their PHP constant values are available at sanitize filters page.

Backwards Compatibility Impact

The filter.default and filter.default_flags INI settings continue to work, despite the deprecation notice.

These two INI settings will be removed in PHP 9.0.

RFC Implementation