Validate Form Data with PHP
You need to take great care to thoroughly validate all user input to ensure not only that it’s provided in the desired format (for example, if you expect the user to provide an e-mail address then the address should be syntactically valid), but also that it is incapable of doing any harm to the website or underlying operating system.
Sanitizing User Input
Two standard functions are available for doing so: htmlentities(), and strip_tags().
1. Converting Input into HTML Entities
The htmlentities() function converts certain characters having special meaning in an HTML context to strings that a browser can render rather than execute them as HTML.
Five characters are considered special by this function: &, ", >, <, '.
2. Stripping Tags from User Input
Sometimes it is best to completely strip user input of all HTML input, regardless of intent. For instance, HTML-based input can be particularly problematic when the information is displayed back to the browser, as in the case of a message board. This problem can be eliminated by passing the user input through strip_tags(), which removes all HTML tags from a string.
3. The htmlspecialchars() function
You can pass all variables through PHP's htmlspecialchars() function. The htmlspecialchars() function converts special characters to HTML entities. If a user tries to enter some code in the form, it will not be executed and is now safe to be displayed on a page or inside an e-mail.
4. Trim
You can strip unnecessary characters (extra space, tab, newline) from the user input data with the PHP trim() function.
5. Remove Backslashes
You can remove backslashes (\) from the user input data with the PHP stripslashes() function.
To avoid writing the same code over and over again, create a function that will do all the checking.
function test_input($data)
{
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
Required Fields
Required fields cannot be empty and must be filled out in the HTML form. An error message is displayed if needed. You can use PHP empty() function. If the $_POST variable is empty, an error message is displayed, and if it is not empty, it sends the user input data through the test_input() function.
Validating Data with Filter Extension
You can use these features to not only validate data such as an e-mail addresses so it meets stringent requirements, but also to sanitize data, altering it to fit specific criteria without requiring the user to take further actions.
For instance, to validate an e-mail address, pass the FILTER_VALIDATE_EMAIL flag.
$email = 'john@@example.com';
if (!filter_var($email, FILTER_VALIDATE_EMAIL))
{
echo "INVALID E-MAIL!";
}
Validation Filters
- FILTER_VALIDATE_BOOLEAN
- FILTER_VALIDATE_EMAIL
- FILTER_VALIDATE_FLOAT
- FILTER_VALIDATE_INT
- FILTER_VALIDATE_IP
- FILTER_VALIDATE_REGEXP
- FILTER_VALIDATE_URL
Sanitizing Data with Filter Extension
It is also possible to use the Filter component to sanitize data.
- FILTER_SANITIZE_EMAIL: Removes all characters from a string except those allowable within an e-mail address as defined within RFC 822.
- FILTER_SANITIZE_ENCODED: URL encodes a string, producing output identical to that returned by the urlencode() function.
- FILTER_SANITIZE_MAGIC_QUOTES: Escapes potentially dangerous characters with a backslash using the addslashes() function.
- FILTER_SANITIZE_NUMBER_FLOAT: Removes any characters that would result in a floating-point value not recognized by PHP.
- FILTER_SANITIZE_NUMBER_INT: Removes any characters that would result in an integer value not recognized by PHP.
- FILTER_SANITIZE_SPECIAL_CHARS: HTML encodes the ', ", <, >, and & characters, in addition to any character having an ASCII value less than 32 (this includes characters such as a tab and backspace).
- FILTER_SANITIZE_STRING: Strips all tags such as <p> and <b>.
- FILTER_SANITIZE_URL: Removes all characters from a string except for those allowable within a URL as defined within RFC 3986.