Cyber Week

Save big!

All courses under $5 - for a limited time!

Code has been added to clipboard!

How to Make PHP Sanitize Input, Process Data and Deal with Queries

Reading time 2 min
Published Aug 8, 2017
Updated Oct 2, 2019

If you read the first lesson on PHP filters, you already have an idea on why do you need to care about PHP filtering and how it works. Making PHP sanitize input means providing your web application with an additional layer of protection since external data can sometimes put it at risk.

In this tutorial, we will dive a little bit deeper and learn more about advanced filters. You will discover how they can help PHP sanitize input that your web application receives. They can also make PHP validate URL addresses, recognize QueryString, and understand ASCII values of characters used in the code.

PHP Sanitize Input: Main Tips

  • PHP offers advanced filters for processing data.
  • PHP input sanitization is especially important when dealing with queries.

Using filter_var()

The example below uses filter_var() for checking whether a variable is actually an integer and has a value between 10 and 100:

Example
<?php
  $int = 185;
  $min = 10;
  $max = 100;
  if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {    
    echo("Variable isn't valid");
  } else {    
    echo("Variable is valid");
  }
?>

Note: similar results can also be achieved with filter_input PHP function.

IPv6 Address Validation

Now, in this example, filter_var() is used to determine whether $ip is a proper IPv6 address:

Example
<?php
  $ip = "2012:0db9:89a4:09d3:1919:8a9e:0390:7394";
  if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {      	
    echo("$ip is indeed a valid IPv6 address");
  } else {      	
    echo("$ip is no valid IPv6 address");
  }
?>

URL Validation

The example below uses a function called filter_var() to make PHP validate URL address. Basically, that means determining whether $url is a URL that contains QueryString:

Example
<?php
  $url = "https://www.bitdegree.org/learn/";
  if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED) === false) {      	
    echo("$url is a valid URL address");
  } elseecho("$url is not a valid URL address");
  }
?>

Removing Characters

In the example below, filter_var() is used to PHP sanitize string (in other words, to remove any special characters from it). It removes every HTML tag detected, as well as all characters that have the ASCII value above 127 from the string:

Example
<?php
  $string = "<h2>H3110 W0r1dÆØÅ!</h2>";
  $filteredString = filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
  echo $filteredString;
?>

PHP Sanitize Input: Summary

  • Advanced filters make it easier for PHP developers to process data. For example, easier to make PHP sanitize input from external sources.
  • You can find them extremely useful when dealing with queries.
  • As you make PHP sanitize input, you can be as specific as possible about the characters you wish to remove.
  • filter_var works similarly as filter_input PHP function.