PhpHow-ToBeginner · 4 min read

How to Sanitize Form Input in PHP: Simple and Safe Methods

To sanitize form input in PHP, use filter_var() with appropriate filters like FILTER_SANITIZE_STRING or FILTER_SANITIZE_EMAIL. Additionally, use htmlspecialchars() to convert special characters to HTML entities and prevent XSS attacks.

📐

Syntax

Use filter_var() to sanitize input by specifying the variable and the filter type. Use htmlspecialchars() to convert special characters to safe HTML entities.

filter_var($input, FILTER_SANITIZE_STRING): Removes tags and encodes special characters.
filter_var($input, FILTER_SANITIZE_EMAIL): Removes illegal characters from email.
htmlspecialchars($input, ENT_QUOTES, 'UTF-8'): Converts special characters to HTML entities, including quotes.

php

<?php
// Sanitize a string input
$clean = filter_var($input, FILTER_SANITIZE_STRING);

// Sanitize an email input
$email = filter_var($input, FILTER_SANITIZE_EMAIL);

// Convert special characters to HTML entities
$safe = htmlspecialchars($input, ENT_QUOTES, 'UTF-8');
?>

💻

Example

This example shows how to sanitize a username and email from a form submission safely before using them.

php

<?php
// Simulate form input
$_POST['username'] = "<b>John</b> & 'Doe'";
$_POST['email'] = "john.doe@example.com<script>alert('xss')</script>";

// Sanitize username (remove tags and encode special chars)
$username = filter_var($_POST['username'], FILTER_SANITIZE_STRING);

// Sanitize email (remove illegal characters)
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

// Further protect output with htmlspecialchars
$safe_username = htmlspecialchars($username, ENT_QUOTES, 'UTF-8');
$safe_email = htmlspecialchars($email, ENT_QUOTES, 'UTF-8');

// Output sanitized values
echo "Username: " . $safe_username . "\n";
echo "Email: " . $safe_email . "\n";
?>

Output

Username: John & 'Doe' Email: john.doe@example.comalert('xss')

⚠️

Common Pitfalls

Common mistakes include trusting raw input without sanitizing, using FILTER_SANITIZE_STRING alone without encoding output, and not handling character encoding properly. Also, FILTER_SANITIZE_STRING is deprecated in PHP 8.1+, so use htmlspecialchars() for output escaping.

Never rely on sanitization alone for security; always validate input and use prepared statements for database queries.

php

<?php
// Wrong way: trusting raw input
$user = $_POST['username'];
echo "Hello, $user"; // Risk of XSS

// Right way: sanitize and escape output
$user = htmlspecialchars($_POST['username'], ENT_QUOTES, 'UTF-8');
echo "Hello, $user"; // Safe output
?>

📊

Quick Reference

Use this quick guide to sanitize common input types:

Input Type	Sanitization Method	Description
String	htmlspecialchars($input, ENT_QUOTES, 'UTF-8')	Convert special chars to HTML entities to prevent XSS
Email	filter_var($input, FILTER_SANITIZE_EMAIL)	Remove illegal email characters
URL	filter_var($input, FILTER_SANITIZE_URL)	Remove illegal URL characters
Integer	filter_var($input, FILTER_SANITIZE_NUMBER_INT)	Remove all characters except digits and signs
Float	filter_var($input, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION)	Remove all except digits, signs, and decimal point

✅

Key Takeaways

Always sanitize and escape form input to prevent security risks like XSS.

Use filter_var() with appropriate filters for basic sanitization.

Use htmlspecialchars() when outputting data to HTML to encode special characters.

Never trust raw user input; always validate and sanitize before use.

Sanitization is not a substitute for validation or using prepared statements.