How to validate and sanitize user input with PHP?

PHP

Let`s take a look at an example of SQL injection to clarify things. Suppose hackers enter" 5 = 5 "in the Usernameinput field and then send the data. The condition "5 = 5" is always met. Therefore, the SQL command that will be executed after clicking the Submitbutton will be
SELECT * FROM registration WHERE UserId = 105 OR 1 = 1; 
The above SQL command is error-free, so the MySQL server will execute it. But what if the registration table contains sensitive information such as credit card details or passwords. A hacker can obtain information about all registered users simply by typing "5 = 5" in the username input field and then abusing it.To prevent such occurrences, user data verification and cleansing is required:
The filter_var function is used for this purpose. This function usually takes two parameters. The first - is the variable to be checked, and the second - the type of validation we want to perform on this variable.Let`s take a look at some of the validation types along with their examples:
  • Cleanup strings - FILTER_SANITIZE_STRING:This removes all HTML tags from the string. This will clear the input line and block any HTML tag from being entered into the database. $engineer = " < h1 > GeeksforGeeks Portal < / h1 > " ; $newengineer = filter_var ( $engineer , FILTER_SANITIZE_STRING); echo $newengineer ; ?> Output:
    GeeksforGeeks Portal 
    Code explanation:
    The variable ` engineer `in the above example stores the title ` GeeksforGeeks Portal & # 39 ;. This variable ` engineer `is then filtered using FILTER_SANITIZE_STRING . The filtered string is then stored in the ` newengineer `variable. After the response, the output is "GeeksforGeeks Portal". This is because there was no HTML tag in the original line and therefore there was nothing to filter.
  • IP address check - FILTER_VALIDATE_IP:This filter checks if the IP address is valid or not. $ipaddr = "126.0.0.5" ; if (! filter_var ( $ipaddr , FILTER_VALIDATE_IP) === false) { echo ( " Valid IP-address " ); } else { echo ( "Invalid IP-address" ); }
    ?>
    Output:
    Valid IP-address 
    Code explanation:
    The IP address stored in the $ipaddr variable is valid. If the value "126.2.5" is stored in the $ipaddr variable, the result will be "Invalid IP Address". This is because it does not follow the protocol designed for IP addresses.
  • Integer sanitization - FILTER_VALIDATE_INT:This filter checks if a variable is an integer or not. $num = 500; if (! filter_var ( $num , FILTER_VALIDATE_INT) === false) { echo ( " Valid " ); } else { echo ( "Invalid" ); }
    ?>
    Output:
    Valid 
    Code explanation:
    The code will output "Valid" if $num is a valid integer, otherwise the output will be "Invalid". Here 500 - it is an integer and therefore the output is "Valid".
  • Email ID Verification - FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL:this filter first removes all invalid characters from the email and then checks if the format is valid or not. $em = "[email protected] " ;  
    // Remove invalid characters $em = filter_var ( $em , FILTER_SANITIZE_EMAIL);  
    // Inactive if (! filter_var ( $em , FILTER_VALIDATE_EMAIL) === false) { echo ( "$em is valid" ); } else { echo ( "$em is invalid" ); }
    ?>
    Output:
    [email protected] is valid 
    Code explanation:
    First, the email stored in the $em variable is flushed to remove any invalid characters such as ` / > <) * & amp; ^ ` etc. After clearing, the email is checked to check if the email entered is in a valid format or not,
  • URL Validation - FILTER_SANITIZE_URL:Like the email filter, this filter also first removes all invalid characters from the URL and then checks if the format is valid or not. < ? php $url = "< a href = "https://www.engineerforengineer.com" rel = "nofollow noopener" target = "_blank"> https://www.engineerforengineer.com " ;  
    // url sanitizer $url = filter_var ( $url , FILTER_SANITIZE_URL);  
    // URL validator if (! filter_var ( $url , FILTER_VALIDATE_URL) === false) { echo ( "$url is valid" ); } else { echo ( "$url is invalid" ); }
    ?>
    Output:
    https://www.engineerforengineer.com is valid 
    Code explanation:
    The email stored in the $url variable is first flushed to remove invalid characters ... The URL is then checked to see if the URL format is valid.




  • Get Solution for free from DataCamp guru