Input Validation & Sanitization

Accepting input from users is dangerous if you trust it blindly. Validation ensures that data meets strict criteria before your code uses it. Sanitization cleans potentially harmful characters before storage or display.

Validation vs. Sanitization

Validation means checking that input is in an expected format. Reject anything that doesn't conform. Sanitization means transforming input by stripping or escaping unwanted characters.

Validating email addresses

Use filter_var() with the FILTER_VALIDATE_EMAIL filter to ensure an email is valid:

<?php
declare(strict_types=1);

$email = $_POST['email'] ?? '';
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    die('Invalid email address');
}
?>

Sanitizing strings

To remove HTML tags and encode special characters, use filter_var() with FILTER_SANITIZE_SPECIAL_CHARS:

<?php
declare(strict_types=1);

$name = $_POST['name'] ?? '';
$safeName = filter_var($name, FILTER_SANITIZE_SPECIAL_CHARS);
echo 'Hello ' . $safeName;
?>

Validate early and often, sanitise on output. Never trust data from users, even when it comes from hidden form fields or cookies.

The Php OG: Hand-Coded PHP8 Solutions The Php OG Hand-Coded PHP8 Solutions

Hand‑coded Communities & CMS Solutions built on PHP Core Integrity.