Code has been added to clipboard!

How to Make PHP Sanitize Input, Process Data and Deal with Queries

Reading time 2 min
Published Aug 8, 2017
Updated Oct 2, 2019

If you read the first lesson on PHP filters, you already have an idea on why do you need to care about PHP filtering and how it works. Making PHP sanitize input means providing your web application with an additional layer of protection since external data can sometimes put it at risk.

In this tutorial, we will dive a little bit deeper and learn more about advanced filters. You will discover how they can help PHP sanitize input that your web application receives. They can also make PHP validate URL addresses, recognize QueryString, and understand ASCII values of characters used in the code.

PHP Sanitize Input: Main Tips

  • PHP offers advanced filters for processing data.
  • PHP input sanitization is especially important when dealing with queries.

Using filter_var()

The example below uses filter_var() for checking whether a variable is actually an integer and has a value between 10 and 100:

Example
<?php
  $int = 185;
  $min = 10;
  $max = 100;
  if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {    
    echo("Variable isn't valid");
  } else {    
    echo("Variable is valid");
  }
?>

Note: similar results can also be achieved with filter_input PHP function.

IPv6 Address Validation

Now, in this example, filter_var() is used to determine whether $ip is a proper IPv6 address:

Example
<?php
  $ip = "2012:0db9:89a4:09d3:1919:8a9e:0390:7394";
  if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {      	
    echo("$ip is indeed a valid IPv6 address");
  } else {      	
    echo("$ip is no valid IPv6 address");
  }
?>
Udacity
Pros
  • Simplistic design (no unnecessary information)
  • High-quality courses (even the free ones)
  • Variety of features
Main Features
  • Nanodegree programs
  • Suitable for enterprises
  • Paid certificates of completion
Coursera
Pros
  • Professional service
  • Flexible timetables
  • A variety of features to choose from
Main Features
  • Professional certificates of completion
  • University-level courses
  • Multiple Online degree programs
Datacamp
Pros
  • Great user experience
  • Offers quality content
  • Very transparent with their pricing
Main Features
  • Free certificates of completion
  • Focused on data science skills
  • Flexible learning timetable

URL Validation

The example below uses a function called filter_var() to make PHP validate URL address. Basically, that means determining whether $url is a URL that contains QueryString:

Example
<?php
  $url = "https://www.bitdegree.org/learn/";
  if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED) === false) {      	
    echo("$url is a valid URL address");
  } elseecho("$url is not a valid URL address");
  }
?>

Removing Characters

In the example below, filter_var() is used to PHP sanitize string (in other words, to remove any special characters from it). It removes every HTML tag detected, as well as all characters that have the ASCII value above 127 from the string:

Example
<?php
  $string = "<h2>H3110 W0r1dÆØÅ!</h2>";
  $filteredString = filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
  echo $filteredString;
?>

PHP Sanitize Input: Summary

  • Advanced filters make it easier for PHP developers to process data. For example, easier to make PHP sanitize input from external sources.
  • You can find them extremely useful when dealing with queries.
  • As you make PHP sanitize input, you can be as specific as possible about the characters you wish to remove.
  • filter_var works similarly as filter_input PHP function.

Latest Udacity Coupon Found:

Verified STAFF PICK

75% OFF COURSES

Udacity Black Friday Offer

The best time to save on Udacity courses is now - follow this coupon to access a 75% Udacity Black Friday discount & enjoy learning at a very low cost!

Expiration date: 28/01/2021
3176 People Used
Only 97 Left
Rating
5.0