PHP Form Validation and Sanitization
PHP form validation and sanitization example for developers
PHP Form Validation and Sanitization: A Complete Guide for Beginners
When building web applications, accepting user input through forms is common—but raw user input is not safe and not always correct. That’s why form validation and sanitization are critical in PHP development.
This guide covers:
-
What form validation is
-
What sanitization means
-
How to validate and sanitize PHP form input
-
Developer examples with
$_POST,filter_var(), andhtmlspecialchars()
What is Form Validation?
Form validation checks whether user input is:
-
Present (required fields)
-
In correct format (email, number, etc.)
-
Within a specific length or range
Even if you use JavaScript for client-side validation, server-side validation in PHP is mandatory.
Common validation rules include:
-
Name is required
-
Email must be in valid format
-
Password must meet minimum length
-
Age must be numeric
What is Sanitization?
Sanitization cleans user input to remove harmful or unnecessary characters.
Sanitization prevents:
-
HTML injection
-
JavaScript/XSS attacks
-
Broken page rendering
Sanitization examples:
-
Removing tags
-
Trimming spaces
-
Escaping special characters
Basic HTML Form
form.html
<!DOCTYPE html>
<html>
<head>
<title>PHP Form Validation</title>
</head>
<body>
<h2>Contact Form</h2>
<form action="process.php" method="POST">
<label>Name:</label><br>
<input type="text" name="name"><br><br>
<label>Email:</label><br>
<input type="text" name="email"><br><br>
<label>Message:</label><br>
<textarea name="message"></textarea><br><br>
<button type="submit">Submit</button>
</form>
</body>
</html>
Step 1: Basic Validation in PHP
process.php
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$errors = [];
// Validate Name
if (empty($_POST['name'])) {
$errors[] = "Name is required.";
}
// Validate Email
if (empty($_POST['email'])) {
$errors[] = "Email is required.";
} elseif (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
$errors[] = "Invalid email format.";
}
// Validate Message
if (empty($_POST['message'])) {
$errors[] = "Message is required.";
} elseif (strlen($_POST['message']) < 10) {
$errors[] = "Message must be at least 10 characters long.";
}
if (!empty($errors)) {
echo "<h3>Form Errors:</h3>";
foreach ($errors as $error) {
echo "<p>$error</p>";
}
exit;
}
echo "<h3>Validation successful!</h3>";
}
?>
Step 2: Sanitizing User Input
Sanitization Helper Function
function clean_input($data) {
$data = trim($data);
$data = stripslashes($data);
$data = htmlspecialchars($data);
return $data;
}
Applying Validation + Sanitization
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$errors = [];
// Name
if (empty($_POST['name'])) {
$errors[] = "Name is required.";
} else {
$name = clean_input($_POST['name']);
}
// Email
if (empty($_POST['email'])) {
$errors[] = "Email is required.";
} else {
$email = clean_input($_POST['email']);
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$errors[] = "Invalid email format.";
}
}
// Message
if (empty($_POST['message'])) {
$errors[] = "Message is required.";
} else {
$message = clean_input($_POST['message']);
}
if (!empty($errors)) {
echo "<h3>Form Errors:</h3>";
foreach ($errors as $error) {
echo "<p>$error</p>";
}
exit;
}
echo "<h3>Form Submitted Successfully!</h3>";
echo "Name: $name<br>";
echo "Email: $email<br>";
echo "Message: " . nl2br($message);
}
?>
Using filter_var() for Strong Validation
Email Example
$email_raw = $_POST['email'] ?? '';
$email_sanitized = filter_var($email_raw, FILTER_SANITIZE_EMAIL);
URL Example
$url_raw = $_POST['website'] ?? '';
$url_sanitized = filter_var($url_raw, FILTER_SANITIZE_URL);
Best Practices for Secure PHP Forms
-
Always validate on the server
-
Sanitize before storing or echoing data
-
Use specific
filter_var()filters -
Hash passwords using
password_hash() -
Never trust user input
Conclusion
Form validation and sanitization are essential for building secure and reliable PHP applications. By validating rules and cleaning user input, you protect your website from invalid data and security threats.