0
0
PhpHow-ToBeginner · 3 min read

How to Sanitize Input in PHP: Simple and Safe Methods

To sanitize input in PHP, use filter_var() with appropriate filters like FILTER_SANITIZE_STRING or FILTER_SANITIZE_EMAIL. For HTML content, use htmlspecialchars() to convert special characters and prevent code injection.
📐

Syntax

PHP provides built-in functions to sanitize input safely:

  • filter_var($input, FILTER_SANITIZE_STRING): Removes tags and encodes special characters.
  • filter_var($input, FILTER_SANITIZE_EMAIL): Removes illegal characters from email.
  • htmlspecialchars($input): Converts special HTML characters to safe entities.
php
<?php
// Sanitize a string
$clean_string = filter_var($input, FILTER_SANITIZE_STRING);

// Sanitize an email
$clean_email = filter_var($email, FILTER_SANITIZE_EMAIL);

// Convert special HTML characters
$safe_html = htmlspecialchars($html_input, ENT_QUOTES, 'UTF-8');
?>
💻

Example

This example shows how to sanitize a user name, email, and a comment containing HTML to keep the data safe before using it.

php
<?php
// Raw user inputs
$user_name = "<b>John Doe</b>";
$user_email = "john.doe@@example.com";
$user_comment = "Hello <script>alert('hack');</script> world!";

// Sanitize inputs
$clean_name = filter_var($user_name, FILTER_SANITIZE_STRING);
$clean_email = filter_var($user_email, FILTER_SANITIZE_EMAIL);
$safe_comment = htmlspecialchars($user_comment, ENT_QUOTES, 'UTF-8');

// Output sanitized data
echo "Name: $clean_name\n";
echo "Email: $clean_email\n";
echo "Comment: $safe_comment\n";
?>
Output
Name: John Doe Email: john.doe@example.com Comment: Hello &lt;script&gt;alert(&#039;hack&#039;);&lt;/script&gt; world!
⚠️

Common Pitfalls

Common mistakes when sanitizing input include:

  • Using FILTER_SANITIZE_STRING without understanding it removes tags but does not prevent all attacks.
  • Not encoding HTML special characters when outputting user input, leading to cross-site scripting (XSS).
  • Confusing sanitizing with validating; sanitizing cleans data, validating checks if data is correct.

Always sanitize input before use and validate data according to your needs.

php
<?php
// Wrong: trusting raw input
// echo "User comment: " . $user_comment; // Unsafe

// Right: sanitize and encode before output
// echo "User comment: " . htmlspecialchars($user_comment, ENT_QUOTES, 'UTF-8');
?>
📊

Quick Reference

Use this quick guide to choose the right sanitizing function:

FunctionPurposeExample Usage
filter_varSanitize strings, emails, URLs, etc.filter_var($input, FILTER_SANITIZE_STRING)
htmlspecialcharsConvert special HTML characters to entitieshtmlspecialchars($input, ENT_QUOTES, 'UTF-8')
trimRemove extra spaces from start and endtrim($input)
strip_tagsRemove HTML and PHP tagsstrip_tags($input)

Key Takeaways

Always sanitize user input using PHP functions like filter_var and htmlspecialchars before processing.
Use htmlspecialchars to safely display user input containing HTML special characters.
Sanitizing cleans data; validating checks if data meets your rules—use both as needed.
Avoid trusting raw input directly to prevent security risks like XSS and injection attacks.
Use trim and strip_tags to clean input further when appropriate.

Related by keyword

How to Sanitize Form Input in PHP: Simple and Safe MethodsForm HandlingHow to Take Input in PHP: Simple Guide with ExamplesVariables and Data TypesHow to Remove Element from Array in PHP: Simple MethodsArray BasicsHow to Search in Array PHP: Simple Methods ExplainedArray BasicsHow to Use filter_input in PHP: Syntax and ExamplesForm Handling

Up next

What is Error Reporting in PHP: Explanation and ExampleError vs Exception in PHP: Key Differences and UsageHow to Create Namespace in PHP: Syntax and ExamplesHow to Use Alias in Namespace PHP: Simple Guide

More in Security

How to Hash Password in PHP Securely with password_hash()How to Prevent CSRF in PHP: Simple and Effective MethodsHow to Prevent File Upload Vulnerabilities in PHP SecurelyHow to Prevent SQL Injection in PHP: Secure Your Database