How to Make PHP Sanitize Input, Process Data and Deal with Queries

If you read the first lesson on PHP filters, you already have an idea on why do you need to care about PHP filtering and how it works. Making PHP sanitize input means providing your web application with an additional layer of protection since external data can sometimes put it at risk.

In this tutorial, we will dive a little bit deeper and learn more about advanced filters. You will discover how they can help PHP sanitize input that your web application receives. They can also make PHP validate URL addresses, recognize QueryString, and understand ASCII values of characters used in the code.

PHP Sanitize Input: Main Tips

• PHP offers advanced filters for processing data.
• PHP input sanitization is especially important when dealing with queries.

Using filter_var()

The example below uses filter_var() for checking whether a variable is actually an integer and has a value between 10 and 100:

<?php
  $int = 185;
  $min = 10;
  $max = 100;
  if (filter_var($int, FILTER_VALIDATE_INT, array("options" => array("min_range"=>$min, "max_range"=>$max))) === false) {    
    echo("Variable isn't valid");
  } else {    
    echo("Variable is valid");
  }
?>

Note: similar results can also be achieved with filter_input PHP function.

IPv6 Address Validation

Now, in this example, filter_var() is used to determine whether $ip is a proper IPv6 address:

<?php
  $ip = "2012:0db9:89a4:09d3:1919:8a9e:0390:7394";
  if (!filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6) === false) {      	
    echo("$ip is indeed a valid IPv6 address");
  } else {      	
    echo("$ip is no valid IPv6 address");
  }
?>

Pros

• Easy to use with a learn-by-doing approach
• Offers quality content
• Gamified in-browser coding experience
• The price matches the quality
• Suitable for learners ranging from beginner to advanced

Main Features

• Free certificates of completion
• Focused on data science skills
• Flexible learning timetable

EXCLUSIVE: 50% OFF

Pros

• Simplistic design (no unnecessary information)
• High-quality courses (even the free ones)
• Variety of features

Main Features

• Nanodegree programs
• Suitable for enterprises
• Paid Certificates of completion

15% OFF

Pros

• Easy to navigate
• No technical issues
• Seems to care about its users

Main Features

• Huge variety of courses
• 30-day refund policy
• Free certificates of completion

AS LOW AS 14.99$

URL Validation

The example below uses a function called filter_var() to make PHP validate URL address. Basically, that means determining whether $url is a URL that contains QueryString:

<?php
  $url = "https://www.bitdegree.org/learn/";
  if (!filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_QUERY_REQUIRED) === false) {      	
    echo("$url is a valid URL address");
  } else { 
    echo("$url is not a valid URL address");
  }
?>

Removing Characters

In the example below, filter_var() is used to PHP sanitize string (in other words, to remove any special characters from it). It removes every HTML tag detected, as well as all characters that have the ASCII value above 127 from the string:

<?php
  $string = "<h2>H3110 W0r1dÆØÅ!</h2>";
  $filteredString = filter_var($string, FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_HIGH);
  echo $filteredString;
?>

PHP Sanitize Input: Summary

• Advanced filters make it easier for PHP developers to process data. For example, easier to make PHP sanitize input from external sources.
• You can find them extremely useful when dealing with queries.
• As you make PHP sanitize input, you can be as specific as possible about the characters you wish to remove.
• filter_var works similarly as filter_input PHP function.