PHP Form Validation: Secure Your Web Forms Effectively
Why Form Validation Matters in PHP
Form validation is essential for security and data integrity in web applications. Without proper validation, your forms are vulnerable to:
- Malicious code injection (XSS, SQL Injection)
- Spam submissions
- Incorrect or incomplete data
In this guide, we'll cover secure PHP form validation, including input sanitization, error handling, and best practices to protect your website.
Form Validation Rules (Example Form)
We'll validate a form with the following fields:
| Field | Validation Rules |
|---|---|
| Name | Required, letters & whitespace only |
| Required, valid email format | |
| Website | Optional, must be a valid URL |
| Comment | Optional, multi-line text |
| Gender | Required, must select one option |
Step 1: HTML Form Structure
Here's the secure HTML form with PHP validation:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
<!-- Name Field -->
<label>Name:</label>
<input type="text" name="name" value="<?php echo $name ?? ''; ?>">
<span class="error"><?php echo $nameErr ?? ''; ?></span><br>
<!-- Email Field -->
<label>Email:</label>
<input type="text" name="email" value="<?php echo $email ?? ''; ?>">
<span class="error"><?php echo $emailErr ?? ''; ?></span><br>
<!-- Website Field -->
<label>Website:</label>
<input type="text" name="website" value="<?php echo $website ?? ''; ?>">
<span class="error"><?php echo $websiteErr ?? ''; ?></span><br>
<!-- Comment Field -->
<label>Comment:</label>
<textarea name="comment"><?php echo $comment ?? ''; ?></textarea><br>
<!-- Gender Field (Radio Buttons) -->
<label>Gender:</label>
<input type="radio" name="gender" value="female" <?php echo ($gender ?? '') == 'female' ? 'checked' : ''; ?>> Female
<input type="radio" name="gender" value="male" <?php echo ($gender ?? '') == 'male' ? 'checked' : ''; ?>> Male
<input type="radio" name="gender" value="other" <?php echo ($gender ?? '') == 'other' ? 'checked' : ''; ?>> Other
<span class="error"><?php echo $genderErr ?? ''; ?></span><br>
<input type="submit" name="submit" value="Submit">
</form>Key Security Measures:
- htmlspecialchars() – Prevents XSS attacks by converting special characters (<, >) into HTML entities.
- $_SERVER["PHP_SELF"] – Submits data to the same page securely.
- Persistent Form Data – Retains user input after submission.
Step 2: PHP Validation & Sanitization
Here's the complete PHP validation script:
<?php
// Initialize variables
$name = $email = $website = $comment = $gender = "";
$nameErr = $emailErr = $websiteErr = $genderErr = "";
if ($_SERVER["REQUEST_METHOD"] == "POST") {
// Validate Name
if (empty($_POST["name"])) {
$nameErr = "Name is required";
} else {
$name = sanitizeInput($_POST["name"]);
if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
$nameErr = "Only letters and spaces allowed";
}
}
// Validate Email
if (empty($_POST["email"])) {
$emailErr = "Email is required";
} else {
$email = sanitizeInput($_POST["email"]);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$emailErr = "Invalid email format";
}
}
// Validate Website (Optional)
if (!empty($_POST["website"])) {
$website = sanitizeInput($_POST["website"]);
if (!filter_var($website, FILTER_VALIDATE_URL)) {
$websiteErr = "Invalid URL";
}
}
// Validate Comment (Optional)
if (!empty($_POST["comment"])) {
$comment = sanitizeInput($_POST["comment"]);
}
// Validate Gender (Required)
if (empty($_POST["gender"])) {
$genderErr = "Gender is required";
} else {
$gender = sanitizeInput($_POST["gender"]);
}
// If no errors, process data (e.g., save to database)
if (empty($nameErr) && empty($emailErr) && empty($websiteErr) && empty($genderErr)) {
// Database insertion or further processing
echo "<div class='success'>Form submitted successfully!</div>";
}
}
// Sanitize Input Function
function sanitizeInput($data) {
$data = trim($data); // Remove extra spaces
$data = stripslashes($data); // Remove backslashes (\)
$data = htmlspecialchars($data); // Convert special chars to HTML entities
return $data;
}
?>Output Examples:
✅ Successful Submission:
Form submitted successfully!
❌ Error Messages:
Name is required
Invalid email format
Gender is required
Invalid email format
Gender is required
Best Practices for Secure PHP Form Validation
- Always Sanitize Inputs - Use htmlspecialchars(), trim(), and stripslashes() to clean data.
- Validate Before Processing - Check required fields and data formats (email, URL, etc.).
- Prevent XSS & SQL Injection - Use prepared statements for databases and avoid $_SERVER["PHP_SELF"] without sanitization.
- Use Client-Side Validation (JavaScript) for UX - Provides instant feedback but always validate server-side.
- Secure File Uploads - Check file types, size, and use move_uploaded_file().