Tek Eye Logo

Tek Eye

PHP Sanitize POST Data, Clean Up Input

Website development with PHP requires several considerations to be taken into account. At some point a PHP developer will be handling data that is input by the web site visitor. The data has usually being sent to the website using a HTTP POST, for example from a HTML form. Since a website can be accessed by billions on people around the World, the chances are someone will enter badly formated data by mistake, or someone will try and enter data that could cause the PHP application on the web server problems. Therefore, it is generally a good idea to check the input data so that it matches a format that the PHP application can correctly use.

In this article a brief look a data clean up for PHP is discussed. Data input clean up is known as performing a data sanitize, not only is it used to ensure data is of the correct format for processing, it is used to prevent code injection techniques, for example cross-site scripting (XSS) or SQL injection. To practise the code in this article you'll need access to a web server that runs PHP, most simple website hosting plans support PHP. Alternatively, run a webserver on you computer (for example run PHP on Windows).

PHP Logo

Note: If the code in this article was tested on a live website, then remove it once the testing has finished. It needs further code to protect from abuse, for example some form of anti-bot check, such as CAPTCHA. See the Tek Eye article reCAPTCHA Code to Download for Demo and Test for an example of implementing Google's reCAPTCHA.

Start with a Simple HTML Form

To practice PHP data sanitizing, start with a simple example of PHP processing some data. In the Tek Eye article Simple HTML Contact Form for PHP Based Website, the data from a name and message field are sent to the web server for processing by PHP.

HTML Contact Form

The PHP form handler code for the above example just sends back a web page with the entered data:

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>HTML Form Demo</title>
    </head>
    <body>
        <p>Processing feedback...</p>
        <?php 
        if(isset($_POST['name']))
            echo "<p>Welcome ".$_POST['name']."</p>";
        if(isset($_POST['message']))
            echo "<p>Your message is: ".$_POST['message']."</p>";
        ?>
     </body>
</html>

It is straightforward to pass the data through a clean up function before processing. The code below shows a function to remove unneccessary whitespace, useful before storing data in a database field:

/* Clean up any data */
function clean_data($data) {
    /* trim whitespace */
    $data = trim($data);
    return $data;
}
$message=clean_data($_POST['message']);
/* save data to database */

Additional data sanitizing code can then be added to the clean_data() function when required. For example, someone might try and send malicious code to a website through an input box (this is a simple demo to illustrate the point):

Simple Script Injection

Adding a call to htmlspecialchars() in the clean_data() function stops that example:

Encoding Script to Stop Injection

Here is the full code for the above example:

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>HTML Form Demo</title>
    </head>
    <body>
        <p>Processing feedback...</p>
        <?php 
        /* Clean up any data */
        function clean_data($data) {
            /* trim whitespace */
            $data = trim($data);
            $data = htmlspecialchars($data);
            return $data;
        }
        if(isset($_POST['name']))
            echo "<p>Welcome ".clean_data($_POST['name'])."</p>";
        if(isset($_POST['message']))
            echo "<p>Your message is: ".clean_data($_POST['message'])."</p>";
        ?>
     </body>
</html>

Other PHP functions can be used on input data, for example stripslashes() or addslashes() to un-quote or quote a string. Data sanitizing code to be added to a PHP application will be specific to the intended use of the input data. Remember to consider how the data will be used to determine the data clean up and data checks that need to be applied. For example, storing an input filename into a database field, do you need to ensure that directory paths are not present. Someone may be trying to manipulate the application with relative paths in filenames.

Use PHP Filters for Data Sanitizing and Validating

PHP comes with built in filter functions to help clean up and check different types of data. Use filter_var() with a specified filter flag to sanitize and validate input. The types of data supported include:

  • Email
  • Unquoted Strings
  • Numbers and Booleans
  • Domains and URLs
  • IP and MAC addresses
  • Regular Expressions
  • Printable ASCII

See the validation filters when checking data and the sanitize filters when cleaning up data. The filter_var() supports various data santize and validation options via filter flags. It is possible to implement a custom filter via a callback.

Note: filter_var() is not perfect and may not work for some strange, but valid, inputs and foreign language text. See the comments in the various PHP.net documentation pages.

Simple Validate PHP Filter Example

The simple PHP POST example above is extended to see if an email address was entered into the name field. Here is the code to check for an email address using the PHP filter_var():

if (!filter_var($_POST['name'], FILTER_VALIDATE_EMAIL) === FALSE)
    echo("You entered an email address for your name");

Note: In the PHP documentation for filter_var() it states that it 'Returns the filtered data, or FALSE if the filter fails.' Hence the use of the === identical comparision, since filter_var will only return FALSE or the data that was passed in (a string). Here is the full updated PHP data handler:

<!DOCTYPE html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>HTML Form Demo</title>
    </head>
    <body>
        <p>Processing feedback...</p>
        <?php 
        /* Clean up any data */
        function clean_data($data) {
            /* trim whitespace */
            $data = trim($data);
            $data = htmlspecialchars($data);
            return $data;
        }
        if(isset($_POST['name'])) {
            if (!filter_var($_POST['name'], FILTER_VALIDATE_EMAIL) === FALSE)
                echo("You entered an email address for your name");
            echo "<p>Welcome ".clean_data($_POST['name'])."</p>";
        }           
        if(isset($_POST['message']))
            echo "<p>Your message is: ".clean_data($_POST['message'])."</p>";
        ?>
     </body>
</html>

Checking for an Email Address

Read the PHP documentation on PHP filters, especially the comments on the documentation, as they cover further details on the PHP filter behaviour.

See Also

Author:  Published:  Updated:  

ShareSubmit to TwitterSubmit to FacebookSubmit to LinkedInSubmit to redditPrint Page

Do you have a question or comment about this article?

(Alternatively, use the email address at the bottom of the web page.)

 This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

markdown CMS Small Logo Icon ↓markdown↓ CMS is fast and simple. Build websites quickly and publish easily. For beginner to expert.

Articles on:

Android Programming and Android Practice Projects, HTML, VPS, Computing, IT, Computer History, ↓markdown↓ CMS, C# Programming, Using Windows for Programming

Free Android Projects and Samples:

Android Examples, Android List Examples, Android UI Examples

Tek Eye Published Projects