Course Content
State Management
0/1
Regular Expressions?
0/1
About Lesson

What is Sanitize input?

Sanitizing input is a crucial step in web development to ensure that data received from users is safe and does not pose security risks to the application. Sanitization involves cleaning and filtering user input to remove or neutralize potentially harmful characters or content. Here are some key techniques and considerations for sanitizing input in PHP:

HTML Entity Encoding:

  • Convert special characters to their corresponding HTML entities using functions like htmlspecialchars() or htmlentities().
  • This prevents XSS (Cross-Site Scripting) attacks by neutralizing HTML tags and preventing them from being executed in the browser.

// Example: HTML entity encoding

PHP
$unsafe_input = "<script>alert('XSS attack');</script>";

$safe_input = htmlspecialchars($unsafe_input);

echo $safe_input; // Output: <script>alert('XSS attack');</script>

Database Escaping:

  • Use prepared statements or parameterized queries with PDO or MySQLi to sanitize data before inserting it into the database.
  • Prepared statements automatically escape special characters in SQL queries, preventing SQL injection attacks.

// Example: Prepared statement with PDO

PHP
$stmt = $pdo->prepare("INSERT INTO users (username, password) VALUES (?, ?)");

$stmt->execute([$username, $password]);

Validation and Whitelisting:

  • Validate input against expected formats, lengths, and data types.
  • Use whitelists to allow only certain characters or patterns in input fields, rejecting anything else.

// Example: Validate email address format

PHP
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {

    // Valid email address

} else {

    // Invalid email address

}

File Uploads:

  • Use move_uploaded_file() to move uploaded files to a secure directory and sanitize the file name to remove any potentially malicious characters.
  • Check file types and sizes to prevent uploading of harmful files.

// Example: Sanitize uploaded file name

PHP
$filename = $_FILES['file']['name'];

$sanitized_filename = preg_replace("/[^a-zA-Z0-9\_\-\.]/", '', $filename);

Input Filtering:

  • Use PHP’s filter_var() function with appropriate filter types to validate and sanitize input data.
  • Filter input against predefined validation rules for email addresses, URLs, integers, and more.

// Example: Sanitize and validate email address

PHP
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);

if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {

    // Valid email address

} else {

    // Invalid email address

}

Avoid Trusting User Input:

  • Never trust user input and always assume it’s malicious until proven otherwise.
  • Validate and sanitize input at the earliest opportunity and before using it in any critical operations or outputs.

By implementing these sanitization techniques in your PHP applications, you can mitigate security risks associated with user input and ensure the integrity and safety of your application’s data and functionality.