How to Validate (and Sanitize) User Input In PHP Using Filter_Input() and Filter_Var()

Never trust user data.

That’s the mantra. Good advice. So, how do you do it? In recording my newest training course, How to Submit and HTML Form to MySQL Using PHP, I talk quite a bit about the concept of “layered security”. Not my idea, though… it’s a pretty standard and accepted concept in application security (WikiPedia article on it here).

So, you have:

  • Prepared statements to stop SQL injection
  • Output escaping for XSS attacks
  • Tokens for CSRF

And, one I don’t see as much: input validation and sanitization using PHP’s filter_input() and filter_var() functions. So, you can do something like this:

<?php $name = filter_var($_POST['name'], FILTER_SANITIZE_STRING); ?>

That runs the $_POST element “name” through FILTER_SANITIZE_STRING… which “Strip tags, optionally strip or encode special characters.” You can see a full list of available filters here.

You can also validate like this:

<?php $email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); ?>

Which will: “Validates whether the value is a valid e-mail address.” If it’s not a valid email address, filter_var() returns false meaning you can run validations checks off it, like this:

<?php
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);

if ( $email === false ) {
 // Handle invalid emails here
 }
?>

Optionally, you can use filter_input() like this:

<?php
$name = filter_input(INPUT_POST, "name", FILTER_SANITIZE_STRING);
$email= filter_input(INPUT_POST, "email", FILTER_VALIDATE_EMAIL);
$search = filter_input(INPUT_GET, "s", FILTER_SANITIZE_STRING);
?>

And, so on.

You also have filter_var_array() and filter_input_array() for filtering entire arrays at once WITH unique flags for each element.

In any case, do this to add just one more layer of security and ensure the user input you accept into your application isn’t going to let a hacker in the front door.

Also, if you’d like to learn preventing SQL injection and XSS attacks, as well, enroll in my new course. We go into all of it along with creating an HTML5 form, a MySQL database and tying the two together with PHP — in video format so you can see it come together. Plus, you get access to final source code to download and use as you wish.

You might also like

Real-world alchemy

Question: what’s a simple way to pandemic proof your business? Or what about the next recession? There’s always one around the corner for one reason

Read More »

$5,857.20

That’s been the top, so far. The highest I’ve hit on Skillshare. And that IS just Skillshare. Doesn’t count Udemy, sales on my own website,

Read More »
Share on facebook
Facebook
Share on twitter
Twitter
Share on linkedin
LinkedIn
Share on reddit
Reddit
Share on pinterest
Pinterest
John Morris

JOHN MORRIS

I’m a 15-year veteran of freelance web development. I’ve worked with bestselling authors and average Joe’s next door. These days, I focus on helping other freelancers build their freelance business and their lifestyles.

The simple secrets to high-paying freelance clients

What makes clients willing to pay $5,000, $10,000 even $20,000 and up for your services? Download and install my mobile app and I’ll show you. It’s free. Just click the button below:

Clients Like:

Inc. Magazine Logo
Lewis Howes Logo
Ray Edwards Logo

WHAT OTHERS ARE SAYING

Ray Edwards

I recommend John every chance I get. If every person I worked with were as committed to excellence, punctuality, value, and unquestionable integrity… the world would be a better place. Highest recommendation.

Daniel Mohlendick

On the Freelancing on Upwork course: “This is by far the best course i have watched on Skillshare!! Thank you so much.”

Bob Patterson

Not only is John a very talented programmer and developer, he is also an excellent communicator. He has a talent for taking complex subjects and communicating them in terms that anyone can understand. This is a rare combination. This ability has enabled me to take my skills and knowledge to the next level. Thank you John for for all that you do.

Xan Barksdale

Xan Barksdale

Very professional worker who is extremely knowledgable in WordPress and Wishlist Member. I would definitely hire again.

Lori Grant

John did an outstanding job on my project. I highly recommend him and look forward to working with him on future projects.

Michael Skye

Michael Skye

John is a man of integrity, who gives generously of himself to projects and people he cares about.

Jim DeJonge

Jim DeJonge

John has a relaxed and engaging manner. His advice is solid and the explanations are well thought out.

Chris Aitken

He significantly improved my site through his expert knowledge of PHP, CSS and Javascript. Would definitely recommend John to others.

Bradley Smith

John and I have worked together on numerous projects. John is very quick and efficient and was a pleasure to work with.

Jason Rumley

Jason Rumley

John has a habit of over-delivering on the expectations he sets up. That’s why he’s the best.

Thabo Motsoahae

John is one of the best instructors I have come across, I learned a lot from his online tutorials.

Sukh Plaha

John is a fantastic and patient tutor, who is not just able to share knowledge and communicate it very effectively – but able to support one in applying it. However, I believe that John has a very rare ability to go further than just imparting knowledge and showing one how to apply it. He is able to innately provoke one’s curiosity when explaining and demonstrating concepts, to the extent that one can explore and unravel their own learning journey. Thanks very much John!