How to Validate and Sanitise PHP Form Input for Security

Name: How to Validate and Sanitise PHP Form Input for Security
Author: AI

Validating and sanitising form input is essential for securing PHP applications.
Proper handling of user data helps prevent common vulnerabilities such as SQL injection and XSS (Cross-Site Scripting) attacks.

In this tutorial, you’ll learn how to validate and sanitise form input to ensure your application is secure and reliable.

1. Importance of Validation and Sanitisation

Validation: Ensures that the input meets specific criteria (e.g., correct format, required fields are not empty).
Sanitisation: Cleans input data to remove harmful characters, preventing malicious input from being executed.

Validation and sanitisation work together to protect your application from attacks and ensure user data is correctly processed.

2. Basic Validation Example

Here’s how to validate form input in PHP:

PHP Code

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $name = trim($_POST['name']); // Remove extra spaces
    $email = trim($_POST['email']); // Remove extra spaces
 
    if (empty($name)) {
        echo "Name is required.";
    } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo "Invalid email format.";
    } else {
        echo "Validation passed!";
    }
}
?>

trim(): Removes unnecessary spaces from user input.
empty(): Checks if a field is empty.
filter_var(): Validates input against predefined filters, such as email format.

3. Basic Sanitisation Example

Sanitisation cleans user input to ensure it is safe to use. Here’s an example:

PHP Code

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $name = htmlspecialchars($_POST['name']); // Converts HTML characters to prevent XSS
    $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL); // Removes illegal characters from email
 
    echo "Sanitised Name: $name";
    echo "Sanitised Email: $email";
}
?>

htmlspecialchars(): Converts special characters to HTML entities to prevent XSS.
filter_var(): Sanitises input using predefined filters like FILTER_SANITIZE_EMAIL.

4. Preventing SQL Injection

When working with databases, always use prepared statements to prevent SQL injection:

PHP Code

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $connection = new mysqli('localhost', 'user', 'password', 'database');
    $stmt = $connection->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
    $stmt->bind_param("ss", $name, $email);
 
    $name = trim($_POST['name']);
    $email = trim($_POST['email']);
 
    $stmt->execute();
    $stmt->close();
    $connection->close();
}
?>

Prepared Statements: Use placeholders ("?") and bind parameters to securely handle user input.
mysqli_real_escape_string(): Use if you cannot implement prepared statements.

5. Combining Validation and Sanitisation

Here’s an example combining both validation and sanitisation:

PHP Code

<?php
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
    $name = htmlspecialchars(trim($_POST['name']));
    $email = filter_var(trim($_POST['email']), FILTER_SANITIZE_EMAIL);
 
    if (empty($name)) {
        echo "Name is required.";
    } elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo "Invalid email format.";
    } else {
        // Process the data (e.g., store in database)
        echo "Input is valid and safe.";
    }
}
?>

Conclusion

Validation and sanitisation are critical for securing web applications. By implementing these techniques, you can protect your application from common vulnerabilities and ensure reliable data handling.
Always combine validation, sanitisation, and secure database practices for robust security.

Author:

Views:

Rating:

There are currently no comments for this tutorial, login or register to leave one.