Change language

How to validate and sanitize user input with PHP?

Let’s take a look at an example of SQL injection to clarify things. Suppose hackers enter" 5 = 5 "in the Usernameinput field and then send the data. The condition "5 = 5" is always met. Therefore, the SQL command that will be executed after clicking the Submitbutton will be
SELECT * FROM registration WHERE UserId = 105 OR 1 = 1; 
The above SQL command is error-free, so the MySQL server will execute it. But what if the registration table contains sensitive information such as credit card details or passwords. A hacker can obtain information about all registered users simply by typing "5 = 5" in the username input field and then abusing it.To prevent such occurrences, user data verification and cleansing is required:
The filter_var function is used for this purpose. This function usually takes two parameters. The first - is the variable to be checked, and the second - the type of validation we want to perform on this variable.Let’s take a look at some of the validation types along with their examples:
  • Cleanup strings - FILTER_SANITIZE_STRING:This removes all HTML tags from the string. This will clear the input line and block any HTML tag from being entered into the database. $engineer = "

    GeeksforGeeks Portal < / h1 > " ; $newengineer = filter_var ( $engineer , FILTER_SANITIZE_STRING); echo $newengineer ; ?> Output:
    GeeksforGeeks Portal 
    Code explanation:
    The variable ’ engineer ’in the above example stores the title ’ GeeksforGeeks Portal & # 39 ;. This variable ’ engineer ’is then filtered using FILTER_SANITIZE_STRING . The filtered string is then stored in the ’ newengineer ’variable. After the response, the output is "GeeksforGeeks Portal". This is because there was no HTML tag in the original line and therefore there was nothing to filter.

  • IP address check - FILTER_VALIDATE_IP:This filter checks if the IP address is valid or not. $ipaddr = "126.0.0.5" ; if (! filter_var ( $ipaddr , FILTER_VALIDATE_IP) === false) { echo ( " Valid IP-address " ); } else { echo ( "Invalid IP-address" ); }
    ?>
    Output:
    Valid IP-address 
    Code explanation:
    The IP address stored in the $ipaddr variable is valid. If the value "126.2.5" is stored in the $ipaddr variable, the result will be "Invalid IP Address". This is because it does not follow the protocol designed for IP addresses.
  • Integer sanitization - FILTER_VALIDATE_INT:This filter checks if a variable is an integer or not. $num = 500; if (! filter_var ( $num , FILTER_VALIDATE_INT) === false) { echo ( " Valid " ); } else { echo ( "Invalid" ); }
    ?>
    Output:
    Valid 
    Code explanation:
    The code will output "Valid" if $num is a valid integer, otherwise the output will be "Invalid". Here 500 - it is an integer and therefore the output is "Valid".
  • Email ID Verification - FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL:this filter first removes all invalid characters from the email and then checks if the format is valid or not. $em = "[email protected] " ;  
    // Remove invalid characters $em = filter_var ( $em , FILTER_SANITIZE_EMAIL);  
    // Inactive if (! filter_var ( $em , FILTER_VALIDATE_EMAIL) === false) { echo ( "$em is valid" ); } else { echo ( "$em is invalid" ); }
    ?>
    Output:
    [email protected] is valid 
    Code explanation:
    First, the email stored in the $em variable is flushed to remove any invalid characters such as ’ / > <) * & amp; ^ ’ etc. After clearing, the email is checked to check if the email entered is in a valid format or not,
  • URL Validation - FILTER_SANITIZE_URL:Like the email filter, this filter also first removes all invalid characters from the URL and then checks if the format is valid or not. < ? php $url = " https://www.engineerforengineer.com " ;  
    // url sanitizer $url = filter_var ( $url , FILTER_SANITIZE_URL);  
    // URL validator if (! filter_var ( $url , FILTER_VALIDATE_URL) === false) { echo ( "$url is valid" ); } else { echo ( "$url is invalid" ); }
    ?>
    Output:
    https://www.engineerforengineer.com is valid 
    Code explanation:
    The email stored in the $url variable is first flushed to remove invalid characters ... The URL is then checked to see if the URL format is valid.
  • Shop

    Best laptop for Sims 4

    $

    Best laptop for Zoom

    $499

    Best laptop for Minecraft

    $590

    Best laptop for engineering student

    $

    Best laptop for development

    $

    Best laptop for Cricut Maker

    $

    Best laptop for hacking

    $890

    Best laptop for Machine Learning

    $950

    Latest questions

    NUMPYNUMPY

    psycopg2: insert multiple rows with one query

    12 answers

    NUMPYNUMPY

    How to convert Nonetype to int or string?

    12 answers

    NUMPYNUMPY

    How to specify multiple return types using type-hints

    12 answers

    NUMPYNUMPY

    Javascript Error: IPython is not defined in JupyterLab

    12 answers

    Wiki

    Python OpenCV | cv2.putText () method

    numpy.arctan2 () in Python

    Python | os.path.realpath () method

    Python OpenCV | cv2.circle () method

    Python OpenCV cv2.cvtColor () method

    Python - Move item to the end of the list

    time.perf_counter () function in Python

    Check if one list is a subset of another in Python

    Python os.path.join () method