Input Sanitization and Validation in PHP

Introduction

When building dynamic web applications with PHP, input sanitization and validation are critical steps to ensure your application is secure and performs correctly. Whether you're handling form submissions, URL parameters, or API requests, you must validate and sanitize user input to prevent common security threats like SQL injection, Cross-site Scripting (XSS), and remote code execution.

This comprehensive guide will cover everything you need to know about PHP input sanitization and validation, using best practices and real-world examples.

What Is Input Validation?

Input validation is the process of checking whether the input data meets certain criteria or rules. For example:

  • Is the input a valid email address?
  • Is the age entered a number?
  • Does the username contain only alphanumeric characters?

Validation ensures the data integrity and helps prevent malformed data from entering your system.

Types of Validation

Client-Side Validation

  • Done using HTML5 or JavaScript.
  • Enhances user experience but can be bypassed.

Server-Side Validation (in PHP)

  • More secure.
  • Always required regardless of client-side validation.

What Is Input Sanitization?

Input sanitization is the process of cleaning input to remove or escape unwanted characters. It doesn't check for correctness but makes the input safe for use.

For example, if someone enters HTML code in a comment box, sanitization ensures it doesn't execute as real HTML when rendered.

Difference Between Validation and Sanitization

Validation Sanitization
Checks for correctness Cleans the input
Blocks bad data Escapes or removes unwanted characters
Prevents logic errors Prevents XSS and SQL injection

Why Is Input Sanitization and Validation Important in PHP?

PHP is widely used for server-side scripting and interacts directly with databases, files, and user input. Improper handling of input can lead to serious vulnerabilities.

Common Attacks Prevented:

  • SQL Injection
  • Cross-Site Scripting (XSS)
  • Remote Code Execution
  • Cross-Site Request Forgery (CSRF)

Best Practices for PHP Input Validation and Sanitization

1. Use filter_var() for Built-in Validation

PHP's filter_var() function offers predefined filters for common validation tasks. 

$email = $_POST['email'];
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Valid email";
} else {
    echo "Invalid email";
}

2. Validate Integer Input

$age = $_POST['age'];
if (filter_var($age, FILTER_VALIDATE_INT)) {
    echo "Valid age";
} else {
    echo "Invalid age";
}

3. Sanitize String Input

$name = $_POST['name'];
$clean_name = filter_var($name, FILTER_SANITIZE_STRING);
echo "Sanitized Name: " . $clean_name;

🔒 Note: As of PHP 8.1, FILTER_SANITIZE_STRING is deprecated. Use custom sanitization methods like htmlspecialchars() or regex.

PHP Input Sanitization Techniques

1. htmlspecialchars()

Prevents XSS by converting special characters to HTML entities.

$comment = $_POST['comment'];
$comment_safe = htmlspecialchars($comment, ENT_QUOTES, 'UTF-8');

2. strip_tags()

Removes all HTML and PHP tags.

$bio = $_POST['bio'];
$bio_clean = strip_tags($bio);

3. Regular Expressions (Regex)

Use preg_match() for custom pattern validation.

$username = $_POST['username'];
if (preg_match("/^[a-zA-Z0-9_]{5,20}$/", $username)) {
    echo "Valid username";
} else {
    echo "Invalid username";
}

Secure PHP Form Handling Example

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    // Sanitize
    $name = htmlspecialchars(trim($_POST["name"]));
    $email = filter_var(trim($_POST["email"]), FILTER_SANITIZE_EMAIL);

    // Validate
    if (!preg_match("/^[a-zA-Z ]*$/", $name)) {
        $name_error = "Only letters and white space allowed";
    }
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        $email_error = "Invalid email format";
    }

    if (empty($name_error) && empty($email_error)) {
        echo "Form data is safe and valid!";
    }
}

Using PHP Form Validation Libraries

For large-scale projects, use libraries for cleaner and reusable code.

Popular PHP Validation Libraries:

  • Respect\Validation
  • Valitron
  • Symfony Validator (part of Symfony Framework)

Example using Respect\Validation:

use Respect\Validation\Validator as v;

$nameValidator = v::stringType()->length(3, 20);
if ($nameValidator->validate($name)) {
    echo "Valid Name";
}

PHP Input Security Tips

1. Use mysqli or PDO Prepared Statements

Avoid SQL injection by never inserting raw input into queries.

$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$email]);

2. Escape Output for HTML

Always escape output when displaying user data:

echo htmlspecialchars($user_input);

3. Limit File Uploads

Always validate MIME types and file size before accepting user uploads.

Common Mistakes to Avoid

Mistake Better Approach
Trusting client-side validation Always validate on the server
Using raw SQL queries Use prepared statements
Ignoring special characters Use htmlspecialchars()
Allowing all file types Restrict by MIME and extension