1. Code
  2. PHP

Sanitize and Validate Data with PHP Filters


Data validation is an integral part of working with forms. Not only can invalid submitted data lead to security problems, but it can also break your webpage. Today, we'll take a look at how to remove illegal characters and validate data by using the "filter_var" function.

An example can be seen below. A user has entered the text "I don't have one" as their home page. If this data were to be entered into a database and then later retrieved as a link, the link would be broken.

Most people tend to think of data validation as an immensely tedious process where one either:

  • Compares the data they want to validate against every possible combination they can think of.
  • Tries to find a golden Regular Expression that will match every possible combination.
  • A combination of the two.

There are obvious problems with the above listed:

  • It's absolutely time consuming.
  • There is a very high chance of error.

Fortunately, beginning with version 5.2, PHP has included a great function called filter_var that takes away the pain of data validation.

filter_var In Action

filter_var will do, both, sanitize and validate data. What's the difference between the two?

  • Sanitizing will remove any illegal character from the data.
  • Validating will determine if the data is in proper form.

Note: why sanitize and not just validate? It's possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.

How to use filter_var

Using filter_var is incredibly easy. It's simply a PHP function that takes two pieces of data:

  • The variable you want to check
  • The type of check to use

For example, the below code will remove all HTML tags from a string:

Here's another example -- this time more difficult. The below code will ensure the value of the variable is a valid IP address:

That's how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial.

Sanitizing Example

Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.

By using the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL constants definited by PHP, the guess work of knowing what characters are illegal is gone.

Validating Example

Just because the data is sanitized does not ensure that it's properly formatted. In the example below, the data did not need to be sanitized, but it's obvious that the user input is not an email or url.

In order to ensure the data is properly formatted, it needs to be validated.

Now that the data has been validated, you can be sure that the information submitted is exactly what you're looking for.

Putting It All Together: An Email Submit Form

Now that data sanitation and validation have been covered, we'll put those skills to use with a quick email submission form. This will by no means be of production quality -- for example, no form should require a home page -- but it'll work perfect for this tutorial. The form will take 4 pieces of information:

  • Name
  • Email Address
  • Home Page
  • Message

We'll sanitize and validate against all 4 pieces of data and only send the email if they are all valid. If anything is invalid, or if any fields are blank, the form will be presented to user along with a list of items to fix. We'll also return the sanitized data to the user in case they are unaware that certain characters are illegal.

Step 1 - Creating the Form

For the first step, simply create a form element with 5 fields: the for listed above and a submit button:

Step 2 - Determine if the Form was Submitted

You can check to see if a form was submitted by seeing if the submit button was "set". Place the following code above your form:

Step 3 - Validating the Name and Message Field

Since both the name and message fields will be sanitized and validated the same, we'll do them together. First, check to see if either field is blank by doing the following:

Next, sanitize them with the FILTER_SANITIZE_STRING constant

Finally, check to make sure that the two fields still are not blank. This is to ensure that after removing all illegal characters, you are not left with a blank field:

We won't do any validation on these two fields simply because there is no absolute way to validate against a Name or arbitrary message.

The final code looks like this:

Step 4 -- Validate the Email Field

The email field will be sanitized and validated just as it was earlier in the tutorial.

First, check to make sure it is not blank:

Next, sanitize it:

Finally, validate it as a true email address:

The final code looks like this:

Step 5 -- Validate the Home Page Field

Again, the home page field will be sanitized and validated the same way as earlier in the tutorial.

First, make sure it is not blank:

Next, sanitize it and remove any illegal characters:

Finally, validate it to make sure it's a true URL:

The final code looks like this:

Step 6 -- Check for Errors and Send the Message

Now that we've gone through all fields, it's time to either report the errors or send the message. Start off by assuming there were no errors:

Then build the email message:

And finally, send the message:

However, if there were any errors, report them and have the user try again:

The completed project looks like this:


I hope reading this tutorial gave you a good introduction to PHP's new data filtering features. There are still many more functions and rules that were not covered, so if you're interested in learning more, please see the Data Filtering section in the PHP manual.

  • Subscribe to the NETTUTS RSS Feed for more daily web development tuts and articles.

Looking for something to help kick start your next project?
Envato Market has a range of items for sale to help get you started.