Advertisement

Sanitize and Validate Data with PHP Filters

by
Student iconAre you a student? Get a yearly Tuts+ subscription for $45 →

Data validation is an integral part of working with forms. Not only can invalid submitted data lead to security problems, but it can also break your webpage. Today, we'll take a look at how to remove illegal characters and validate data by using the "filter_var" function.

An example can be seen below. A user has entered the text "I don't have one" as their home page. If this data were to be entered into a database and then later retrieved as a link, the link would be broken.

Most people tend to think of data validation as an immensely tedious process where one either:

  • Compares the data they want to validate against every possible combination they can think of.
  • Tries to find a golden Regular Expression that will match every possible combination.
  • A combination of the two.

There are obvious problems with the above listed:

  • It's absolutely time consuming.
  • There is a very high chance of error.

Fortunately, beginning with version 5.2, PHP has included a great function called filter_var that takes away the pain of data validation.

filter_var In Action

filter_var will do, both, sanitize and validate data. What's the difference between the two?

  • Sanitizing will remove any illegal character from the data.
  • Validating will determine if the data is in proper form.

Note: why sanitize and not just validate? It's possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.

How to use filter_var

Using filter_var is incredibly easy. It's simply a PHP function that takes two pieces of data:

  • The variable you want to check
  • The type of check to use

For example, the below code will remove all HTML tags from a string:

$string = "<h1>Hello, World!</h1>";
$new_string = filter_var($string, FILTER_SANITIZE_STRING);
// $new_string is now "Hello, World!"

Here's another example -- this time more difficult. The below code will ensure the value of the variable is a valid IP address:

$ip = "127.0.0.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is TRUE

$ip = "127.0.1.1.1.1";
$valid_ip = filter_var($ip, FILTER_VALIDATE_IP);
// $valid_ip is FALSE

That's how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial.

Sanitizing Example

Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.

<?php
    if (isset($_POST['email'])) {
        echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
        echo "<br/><br/>";
    }

    if (isset($_POST['homepage'])) {
        echo filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
        echo "<br/><br/>";
    }
?>

<form name="form1" method="post" action="form-sanitize.php">
    Email Address: <br/>
    <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
    Home Page: <br/>
    <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>
    <br/>
    <input type="submit" />
</form>

By using the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL constants definited by PHP, the guess work of knowing what characters are illegal is gone.

Validating Example

Just because the data is sanitized does not ensure that it's properly formatted. In the example below, the data did not need to be sanitized, but it's obvious that the user input is not an email or url.

In order to ensure the data is properly formatted, it needs to be validated.

<?php
    if (isset($_POST['email'])) {
        $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
        if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
            echo "$email is a valid email address.<br/><br/>"; 
        } else {
            echo "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
        }
    }

    if (isset($_POST['homepage'])) {
        $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
        if (filter_var($homepage, FILTER_VALIDATE_URL)) {
            echo "$homepage is a valid URL.<br/><br/>";
        } else {
            echo "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
        }
    }
?>

<form name="form1" method="post" action="form-validate.php">
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>
<br/>
<input type="submit" />
</form>

Now that the data has been validated, you can be sure that the information submitted is exactly what you're looking for.

Putting It All Together: An Email Submit Form

Now that data sanitation and validation have been covered, we'll put those skills to use with a quick email submission form. This will by no means be of production quality -- for example, no form should require a home page -- but it'll work perfect for this tutorial. The form will take 4 pieces of information:

  • Name
  • Email Address
  • Home Page
  • Message

We'll sanitize and validate against all 4 pieces of data and only send the email if they are all valid. If anything is invalid, or if any fields are blank, the form will be presented to user along with a list of items to fix. We'll also return the sanitized data to the user in case they are unaware that certain characters are illegal.

Step 1 - Creating the Form

For the first step, simply create a form element with 5 fields: the for listed above and a submit button:

<form name="form1" method="post" action="form-email.php">
    Name: <br/>
    <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>
    Email Address: <br/>
    <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
    Home Page: <br/>
    <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>
    Message: <br/>
    <textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>
    <br/>
    <input type="submit" name="Submit" />
</form>

Step 2 - Determine if the Form was Submitted

You can check to see if a form was submitted by seeing if the submit button was "set". Place the following code above your form:

if (isset($_POST['Submit'])) {

}

Step 3 - Validating the Name and Message Field

Since both the name and message fields will be sanitized and validated the same, we'll do them together. First, check to see if either field is blank by doing the following:

if ($_POST['name'] == "")

if ($_POST['message'] == "")

Next, sanitize them with the FILTER_SANITIZE_STRING constant

$_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);

$_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);

Finally, check to make sure that the two fields still are not blank. This is to ensure that after removing all illegal characters, you are not left with a blank field:

if ($_POST['name'] == "")

if ($_POST['message'] == "")

We won't do any validation on these two fields simply because there is no absolute way to validate against a Name or arbitrary message.

The final code looks like this:

if ($_POST['name'] != "") {
    $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
    if ($_POST['name'] == "") {
        $errors .= 'Please enter a valid name.<br/><br/>';
    }
} else {
    $errors .= 'Please enter your name.<br/>';
}

if ($_POST['message'] != "") {
    $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
    if ($_POST['message'] == "") {
        $errors .= 'Please enter a message to send.<br/>';
    }
} else {
    $errors .= 'Please enter a message to send.<br/>';
}

Step 4 -- Validate the Email Field

The email field will be sanitized and validated just as it was earlier in the tutorial.

First, check to make sure it is not blank:

if ($_POST['email'] != "")

Next, sanitize it:

$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

Finally, validate it as a true email address:

if (!filter_var($email, FILTER_VALIDATE_EMAIL))

The final code looks like this:

if ($_POST['email'] != "") {
    $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
    }
} else {
    $errors .= 'Please enter your email address.<br/>';
}

Step 5 -- Validate the Home Page Field

Again, the home page field will be sanitized and validated the same way as earlier in the tutorial.

First, make sure it is not blank:

if ($_POST['homepage'] != "")

Next, sanitize it and remove any illegal characters:

$homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL)

Finally, validate it to make sure it's a true URL:

if (!filter_var($homepage, FILTER_VALIDATE_URL))

The final code looks like this:

if ($_POST['homepage'] != "") {
    $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
    if (!filter_var($homepage, FILTER_VALIDATE_URL)) {
        $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
    }
} else {
    $errors .= 'Please enter your home page.<br/>';
}

Step 6 -- Check for Errors and Send the Message

Now that we've gone through all fields, it's time to either report the errors or send the message. Start off by assuming there were no errors:

if (!$errors) {

Then build the email message:

$mail_to = 'me@somewhere.com';
$subject = 'New Mail from Form Submission';
$message  = 'From: ' . $_POST['name'] . "\n";
$message .= 'Email: ' . $_POST['email'] . "\n";
$message .= 'Homepage: ' . $_POST['homepage'] . "\n";
$message .= "Message:\n" . $_POST['message'] . "\n\n";

And finally, send the message:

mail($to, $subject, $message);

However, if there were any errors, report them and have the user try again:

echo '<div style="color: red">' . $errors . '<br/></div>';

The completed project looks like this:

<?php

    if (isset($_POST['Submit'])) {

        if ($_POST['name'] != "") {
            $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);
            if ($_POST['name'] == "") {
                $errors .= 'Please enter a valid name.<br/><br/>';
            }
        } else {
            $errors .= 'Please enter your name.<br/>';
        }

        if ($_POST['email'] != "") {
            $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
            if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";
            }
        } else {
            $errors .= 'Please enter your email address.<br/>';
        }

        if ($_POST['homepage'] != "") {
            $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);
            if (!filter_var($homepage, FILTER_VALIDATE_URL)) {
                $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";
            }
        } else {
            $errors .= 'Please enter your home page.<br/>';
        }

        if ($_POST['message'] != "") {
            $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);
            if ($_POST['message'] == "") {
                $errors .= 'Please enter a message to send.<br/>';
            }
        } else {
            $errors .= 'Please enter a message to send.<br/>';
        }

        if (!$errors) {
            $mail_to = 'me@somewhere.com';
            $subject = 'New Mail from Form Submission';
            $message  = 'From: ' . $_POST['name'] . "\n";
            $message .= 'Email: ' . $_POST['email'] . "\n";
            $message .= 'Homepage: ' . $_POST['homepage'] . "\n";
            $message .= "Message:\n" . $_POST['message'] . "\n\n";
            mail($to, $subject, $message);

            echo "Thank you for your email!<br/><br/>";
        } else {
            echo '<div style="color: red">' . $errors . '<br/></div>';
        }
    }
?>

<form name="form1" method="post" action="form-email.php">
Name: <br/>
<input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>
Email Address: <br/>
<input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>
Home Page: <br/>
<input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>
Message: <br/>
<textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>
<br/>
<input type="submit" name="Submit" />
</form>

Summary

I hope reading this tutorial gave you a good introduction to PHP's new data filtering features. There are still many more functions and rules that were not covered, so if you're interested in learning more, please see the Data Filtering section in the PHP manual.

  • Subscribe to the NETTUTS RSS Feed for more daily web development tuts and articles.


Advertisement