0
0
PHPprogramming~20 mins

Input validation vs sanitization in PHP - Practice Questions

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Challenge - 5 Problems
🎖️
Input Safety Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
Predict Output
intermediate
2:00remaining
What is the output of this PHP code snippet?
Consider the following PHP code that tries to validate and sanitize user input. What will it output?
PHP
<?php
$input = "<script>alert('XSS');</script>";
$validated = filter_var($input, FILTER_VALIDATE_EMAIL);
$sanitized = filter_var($input, FILTER_SANITIZE_EMAIL);
echo "Validated: ";
var_export($validated);
echo "\nSanitized: ";
var_export($sanitized);
?>
A
Validated: false
Sanitized: "scriptalertXSSscript"
B
Validated: "&lt;script&gt;alert('XSS');&lt;/script&gt;"
Sanitized: "&lt;script&gt;alert('XSS');&lt;/script&gt;"
C
Validated: false
Sanitized: "alert('XSS')"
D
Validated: null
Sanitized: "alert('XSS')"
Attempts:
2 left
💡 Hint
FILTER_VALIDATE_EMAIL returns false if input is not a valid email. FILTER_SANITIZE_EMAIL removes invalid characters.
🧠 Conceptual
intermediate
1:30remaining
Which statement correctly describes input validation vs sanitization?
Choose the option that best explains the difference between input validation and input sanitization.
AValidation checks if input meets criteria; sanitization modifies input to remove harmful parts.
BValidation modifies input to remove harmful parts; sanitization checks if input meets criteria.
CValidation encrypts input; sanitization decrypts input.
DValidation stores input securely; sanitization deletes input.
Attempts:
2 left
💡 Hint
Think about whether the process changes the input or just checks it.
🔧 Debug
advanced
2:30remaining
Why does this PHP code fail to prevent XSS?
This PHP code tries to sanitize user input to prevent XSS attacks. Why does it fail?
PHP
<?php
$user_input = "<img src=x onerror=alert(1) />";
$safe_input = filter_var($user_input, FILTER_SANITIZE_STRING);
echo $safe_input;
?>
AThe code should use FILTER_VALIDATE_URL instead.
Bfilter_var does not exist in PHP.
CFILTER_SANITIZE_STRING does not exist and does not remove all harmful attributes like onerror.
Decho cannot output sanitized strings.
Attempts:
2 left
💡 Hint
Check PHP documentation about FILTER_SANITIZE_STRING.
📝 Syntax
advanced
2:00remaining
Which PHP code snippet correctly validates and sanitizes an email input?
Select the code that first validates an email input and then sanitizes it if valid.
A
&lt;?php
$email = "user@example.com";
$clean = filter_var($email, FILTER_VALIDATE_EMAIL);
if ($clean) {
  echo filter_var($email, FILTER_SANITIZE_EMAIL);
}
?&gt;
B
&lt;?php
$email = "user@example.com";
$clean = filter_var($email, FILTER_SANITIZE_EMAIL);
if (filter_var($clean, FILTER_VALIDATE_EMAIL)) {
  echo $clean;
}
?&gt;
C
&lt;?php
$email = "user@example.com";
if (filter_var($email, FILTER_SANITIZE_EMAIL)) {
  $clean = filter_var($email, FILTER_VALIDATE_EMAIL);
  echo $clean;
}
?&gt;
D
&lt;?php
$email = "user@example.com";
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
  $clean = filter_var($email, FILTER_SANITIZE_EMAIL);
  echo $clean;
}
?&gt;
Attempts:
2 left
💡 Hint
Validation should happen before sanitization to confirm input is valid.
🚀 Application
expert
3:00remaining
How many items are in the resulting array after this PHP input processing?
Given this PHP code that validates and sanitizes an array of user inputs, how many items remain in the final array?
PHP
<?php
$inputs = ["john@example.com", "invalid-email", "alice@site.org", "<b>bob@site.com</b>"];
$valid_emails = array_filter($inputs, fn($email) => filter_var($email, FILTER_VALIDATE_EMAIL));
$sanitized_emails = array_map(fn($email) => filter_var($email, FILTER_SANITIZE_EMAIL), $valid_emails);
print_r($sanitized_emails);
?>
A1
B2
C3
D4
Attempts:
2 left
💡 Hint
Count how many inputs pass FILTER_VALIDATE_EMAIL before sanitization.