0
0
PHPprogramming~10 mins

Input validation and sanitization in PHP - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Input validation and sanitization
User Input Received
Validate Input Format?
NoReject Input
Yes
Sanitize Input to Remove Bad Data
Use Clean Input in Program
End
Input is first checked for correct format, then cleaned to remove harmful parts before use.
Execution Sample
PHP
<?php
$input = "<script>alert('x')</script>123";
if (ctype_digit($input)) {
  $clean = filter_var($input, FILTER_SANITIZE_NUMBER_INT);
  echo $clean;
} else {
  echo "Invalid input";
}
?>
This code checks if input is digits only, sanitizes it to keep numbers, then prints it or shows error.
Execution Table
StepActionInput ValueValidation ResultSanitized ValueOutput
1Receive input<script>alert('x')</script>123
2Check if input is digits only<script>alert('x')</script>123False
3Validation failed<script>alert('x')</script>123FalseInvalid input
4End
💡 Input contains non-digit characters, so validation fails and input is rejected.
Variable Tracker
VariableStartAfter ValidationAfter SanitizationFinal
$input"<script>alert('x')</script>123""<script>alert('x')</script>123""<script>alert('x')</script>123"
$clean
Key Moments - 2 Insights
Why does the validation fail even though the input has numbers?
Because ctype_digit checks if the entire string is digits only. The input has letters and symbols, so validation fails as shown in step 2 of the execution table.
What does sanitization do if validation fails?
Sanitization does not run if validation fails. The program stops and outputs 'Invalid input' as in step 3.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the validation result at step 2?
ATrue
BError
CFalse
DNot checked
💡 Hint
Check the 'Validation Result' column at step 2 in the execution table.
At which step does the program output 'Invalid input'?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look at the 'Output' column in the execution table to find when 'Invalid input' is printed.
If the input was "12345", what would be the sanitized value?
A"<script>12345</script>"
B"12345"
C""
D"Invalid input"
💡 Hint
Sanitization with FILTER_SANITIZE_NUMBER_INT keeps digits only, see variable_tracker for $clean.
Concept Snapshot
Input validation checks if data matches expected format.
Sanitization cleans input to remove harmful parts.
Validate first, then sanitize.
Reject input if validation fails.
Use PHP functions like ctype_digit and filter_var.
Always protect your program from bad input.
Full Transcript
This example shows how PHP handles input validation and sanitization. First, the program receives input which may contain harmful code or unexpected characters. It uses ctype_digit to check if the input is only digits. If the check fails, the program stops and prints 'Invalid input'. If it passes, it sanitizes the input using filter_var with FILTER_SANITIZE_NUMBER_INT to keep only numbers. This process protects the program from bad or dangerous input by first validating format, then cleaning the data before use.