Sanitize and Validate Data With PHP Filters

Data validation is an integral part of working with forms. Not only can invalid submitted data lead to security problems, but it can also break your webpage. Today, we'll take a look at how to remove illegal characters and validate data by using the filter_var function.

Importance of Data Sanitization

Data sanitization is important to prevent security vulnerabilities such as SQL injection, cross-site scripting (XSS), and other malicious attacks. It ensures that user input data is cleaned and validated before being processed by the application.

Here are a couple of reasons why you must opt for data sanitization in PHP:

Prevents SQL Injection

One of the most significant security threats to web applications is SQL injection. Malicious users use SQL injection to gain unauthorized access to the database or manipulate data. By sanitizing user input data, developers can prevent such SQL injection attacks.

Protection Against XSS (Cross-Site Scripting) Attacks

Cross-site scripting (XSS) is another major security vulnerability in web applications. These kinds of attacks allow hackers to easily inject malicious scripts into webpages and steal sensitive user data such as cookies. By sanitizing user input data, developers can prevent XSS attacks.

Data Sanitization

Data sanitization ensures that the data entered by users is accurate and consistent. It helps to remove any unwanted characters or tags that may cause errors and lead to inconsistent data.

Example Without Data Sanitization

Let's quickly look at an example with malicious user input.

Suppose we have a login form on a website where users can enter their username and password to access their account. The PHP code might look something like this:

...
...
// Check if the username and password are valid
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($conn, $sql);
...
...

In the above code, the user's input is used to prepare an SQL query which checks if the username and password entered by the user match a valid user in the database.

However, if the hacker enters a malicious input like this:

1	' OR '1'='1

The resulting SQL statement would be like this:

1	SELECT * FROM users WHERE username='' OR '1'='1' AND password='';

As you can see, the query will always evaluate to TRUE, which means that the SQL query will return all users in the database, effectively giving the hacker access to all user accounts.

This is just one example of how malicious input can compromise the security of your application. Thus, it's really important to sanitize and validate users' input to prevent such attacks.

Why Developers Tend to Skip Data Sanitization

Most people tend to think of data validation as an immensely tedious process where one:

compares the data they want to validate against every possible combination they can think of
tries to find a golden regular expression that will match every possible combination
or a combination of the two

There are obvious problems with the above:

it's very time-consuming
there is a very high chance of error

Fortunately, with the latest versions of PHP, there's a function called filter_var which takes away the pain of data validation.

Syntax of the `filter_var` Function

In PHP, the filter_var() function is a really powerful tool for sanitizing and validating user input. It is used to filter a variable with a specified filter, which can be one of the many predefined filters. In fact, you could use a custom filter as well, with the help of a callback function.

Let's quickly go through the syntax of the filter_var function.

1	filter_var( mixed $value, int $filter = FILTER_DEFAULT, array\|int $options = 0 ): mixed

$variable: the variable which you want to filter.
$filter: the ID of the filter which you want to apply to the $variable. It can be any of the predefined filters that are available in PHP, or your custom filter.
$options: an optional parameter which is used to specify additional options for the filter which is being applied. It depends on the specific filter which you're using.

The filter_var() function returns the filtered value if the filter is successful, or FALSE if the filter fails.

How to Sanitize Using the `filter_var` Function

In this section, we'll discuss how you can sanitize data using the filter_var function.

How to Sanitize the Email

The FILTER_SANITIZE_EMAIL filter is used to remove any illegal characters from an email address. It's useful for sanitizing user input before it is stored or displayed.

Let's have a look at the following example:

1	$email = "test@example.com<script>alert('hello')</script>";
2	$sanitizedEmail = filter_var($email, FILTER_SANITIZE_EMAIL);

In the above example, the $email variable contains an email address with a malicious script injected into it. The filter_var() function is used with the FILTER_SANITIZE_EMAIL filter to remove any illegal characters from the email address. Thus, the resulting sanitized email address is stored in the $sanitizedEmail variable. If you try to print it using echo, the script tag and its contents should have been removed, leaving only the valid email address.

How to Sanitize the URL

The FILTER_SANITIZE_URL filter is used to remove any illegal characters from a URL. This filter is useful for sanitizing user input before it is stored or displayed.

Let's have a look at the following example:

1	$url = "https://www.example.com/?q=<script>alert('hello')</script>";
2	$sanitizedUrl = filter_var($url, FILTER_SANITIZE_URL);

In this example, the $url variable contains a URL with a malicious script injected into the query string. The filter_var() function is used with the FILTER_SANITIZE_URL filter to remove any illegal characters from the URL. The resulting sanitized URL is then stored in the $sanitizedUrl variable. When the sanitized URL is printed using echo, the script tag and its contents should have been removed.

How to Validate Using the `filter_var` Function

In this section, we'll discuss how you can validate data using the filter_var function.

How to Validate the IP Address

Let's have a look at the following example.

$ip = "127.0.0.1";

if (filter_var($ip, FILTER_VALIDATE_IP)) {
  // Valid IP address
} else {
  // Invalid IP address
}

In the above example, the FILTER_VALIDATE_IP filter is used to check if the $ip variable contains a valid IP address.

How to Validate the Integer

Let's have a look at the following example.

$foo = "123";

if (filter_var($foo, FILTER_VALIDATE_INT)) {
  // Valid integer
} else {
  // Invalid integer
}

In the above example, the FILTER_VALIDATE_INT filter is used to check if the $foo variable contains a valid integer.

Putting It All Together: An Email Submit Form

After covering the concepts of data sanitation and validation, we will use these skills to create a simple email submission form. Although the form will not be of production quality, as an example it should be sufficient for this tutorial. The form will require four pieces of information:

name
email address
home page
message

We will sanitize and validate all four pieces of data and send the email only if all of them are valid. If anything is invalid or any field is left blank, we will present the form to the user with a list of items that need to be fixed. We will also return the sanitized data to the user in case they are unaware of which characters are illegal.

Step 1. Creating the Form

For the first step, simply create a form element with five fields: the four listed above and a submit button.

<form name="form1" method="post" action="form-email.php">
    Name: <br/>
    <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>
    Email Address: <br/>
    <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
    Home Page: <br/>
    <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>
    Message: <br/>
    <textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>
    <br/>
    <input type="submit" name="Submit" />
</form>

Step 2. Handle the Form Submission

When the form is submitted, the data is sent to form-email.php file.

Let's create the form-email.php file with the following contents.

<?php
    if (isset($_POST['Submit'])) {

        if ($_POST['name'] != "") {
            $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
            if ($_POST['name'] == "") {
                $errors .= 'Please enter a valid name.<br/><br/>';
            }
        } else {
            $errors .= 'Please enter your name.<br/>';
        }

        if ($_POST['email'] != "") {
            $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
            if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
            }
        } else {
            $errors .= 'Please enter your email address.<br/>';
        }

        if ($_POST['homepage'] != "") {
            $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
            if (!filter_var($homepage, FILTER_VALIDATE_URL)) {
                $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
            }
        } else {
            $errors .= 'Please enter your home page.<br/>';
        }

        if ($_POST['message'] != "") {
            $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
            if ($_POST['message'] == "") {
                $errors .= 'Please enter a message to send.<br/>';
            }
        } else {
            $errors .= 'Please enter a message to send.<br/>';
        }


First, we check if the form has been submitted using the isset() function. If the form has been submitted, the validation and sanitation code is executed. We check each form field to see if it has been set, and if it has, we sanitize it with the appropriate filter functions from filter_var(). If the user input is invalid or empty, the corresponding error message is added to the $errors variable.

        if (!$errors) {
            $mail_to = 'me@somewhere.com';
            $subject = 'New Mail from Form Submission';
            $message  = 'From: ' . $_POST['name'] . "\n";
            $message .= 'Email: ' . $_POST['email'] . "\n";
            $message .= 'Homepage: ' . $_POST['homepage'] . "\n";
            $message .= "Message:\n" . $_POST['message'] . "\n\n";
            mail($to, $subject, $message);
            echo "Thank you for your email!<br/><br/>";
        } else {
            echo '<div style="color: red">' . $errors . '<br/></div>';
        }
    }
?>

If there are no errors, an email is sent using the mail() function with the sanitized user input data. Finally, the code displays a thank-you message if the email is sent successfully, otherwise it displays the error message(s) if there were any errors.

Conclusion

I hope that this tutorial has given you a good introduction to PHP's data filtering features. Although we haven't covered all the rules and functions, you can find more information in the Data Filtering section of the PHP manual.

The thumbnail for this post was generated with OpenAI's DALL-E 2.