0
0
PHPprogramming~10 mins

Input validation vs sanitization in PHP - Visual Side-by-Side Comparison

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Input validation vs sanitization
User Input Received
Input Validation
Yes / No
Input OK
Input Sanitization
Safe Input Used
First, the program checks if the input meets rules (validation). If yes, it cleans the input (sanitization) before use. If no, it rejects the input.
Execution Sample
PHP
<?php
$input = "<script>alert('Hi')</script>";
if (filter_var($input, FILTER_VALIDATE_EMAIL)) {
  $safe = filter_var($input, FILTER_SANITIZE_EMAIL);
  echo $safe;
} else {
  echo "Invalid input";
}
?>
This PHP code checks if input is a valid email. If yes, it cleans it. If no, it shows 'Invalid input'.
Execution Table
StepActionInput ValueValidation ResultSanitized ValueOutput
1Receive input<script>alert('Hi')</script>Not checked yetNot sanitized yetNo output
2Validate input as email<script>alert('Hi')</script>False (invalid email)N/ANo output
3Check validation resultN/AFalseN/AGo to else branch
4Output invalid messageN/AN/AN/AInvalid input
5EndN/AN/AN/AProgram stops
💡 Input fails validation, so sanitization is skipped and 'Invalid input' is output.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 4Final
$inputN/A<script>alert('Hi')</script><script>alert('Hi')</script><script>alert('Hi')</script><script>alert('Hi')</script>
Validation ResultN/AN/AFalseFalseFalse
$safeN/AN/AN/AN/AN/A
OutputN/AN/AN/AInvalid inputInvalid input
Key Moments - 3 Insights
Why does the program reject the input before sanitizing it?
Because validation fails (see execution_table step 2 and 3), the program does not sanitize unsafe input to avoid using bad data.
Is sanitization enough to trust input?
No, sanitization cleans input but does not check if input is correct format. Validation must happen first (see concept_flow).
What happens if input passes validation?
If validation is true, sanitization cleans input before use (not shown in this example but implied in concept_flow).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the validation result at step 2?
ATrue (valid email)
BFalse (invalid email)
CNot checked yet
DError occurred
💡 Hint
Check the 'Validation Result' column at step 2 in execution_table.
At which step does the program output 'Invalid input'?
AStep 4
BStep 1
CStep 3
DStep 5
💡 Hint
Look at the 'Output' column in execution_table to find when 'Invalid input' appears.
If the input was a valid email, what would happen next according to the concept_flow?
AProgram would crash
BInput would be rejected immediately
CInput would be sanitized before use
DNo action would be taken
💡 Hint
Refer to the concept_flow diagram showing validation then sanitization.
Concept Snapshot
Input validation checks if data meets rules (like format).
Sanitization cleans data to remove harmful parts.
Validate first, then sanitize.
Reject input if validation fails.
Use sanitized input safely in your program.
Full Transcript
This example shows how PHP handles input validation and sanitization. First, the program receives user input. It then checks if the input is a valid email address using validation. If the input is invalid, the program rejects it and outputs 'Invalid input'. If the input were valid, it would be sanitized to remove unsafe characters before use. This process helps keep programs safe by ensuring only good data is used. Validation is about correctness, sanitization is about safety. Both steps are important and happen in order.