• home
  • forum
  • my
  • kt
  • download
    • home / Web Design & Development / PHP / Miscellaneous

    Sanitize and Validate Data with PHP Filters

    Author: 2009-04-17 17:13:44 From:

    Data validation is an integral part of working with forms. Not only can invalid submitted data lead to security problems, but it can also break your webpage. Today, we'll take a look at how to remove illegal characters and validate data by using the "filter_var" function.

    An example can be seen below. A user has entered the text "I don't have one" as their home page. If this data were to be entered into a database and then later retrieved as a link, the link would be broken.

    Most people tend to think of data validation as an immensely tedious process where one either:

    • Compares the data they want to validate against every possible combination they can think of.
    • Tries to find a golden Regular Expression that will match every possible combination.
    • A combination of the two.

    There are obvious problems with the above listed:

    • It's absolutely time consuming.
    • There is a very high chance of error.

    Fortunately, beginning with version 5.2, PHP has included a great function called filter_var that takes away the pain of data validation.

    filter_var In Action

    filter_var will do, both, sanitize and validate data. What's the difference between the two?

    • Sanitizing will remove any illegal character from the data.
    • Validating will determine if the data is in proper form.

    Note: why sanitize and not just validate? It's possible the user accidentally typed in a wrong character or maybe it was from a bad copy and paste. By sanitizing the data, you take the responsibility of hunting for the mistake off of the user.

    How to use filter_var

    Using filter_var is incredibly easy. It's simply a PHP function that takes two pieces of data:

    • The variable you want to check
    • The type of check to use

    For example, the below code will remove all HTML tags from a string:

    view plaincopy to clipboardprint?
    1. $string = "<h1>Hello, World!</h1>";   
    2. $new_string = filter_var($string, FILTER_SANITIZE_STRING);   
    3. // $new_string is now "Hello, World!"  

    Here's another example -- this time more difficult. The below code will ensure the value of the variable is a valid IP address:

    view plaincopy to clipboardprint?
    1. $ip = "127.0.0.1";   
    2. $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);   
    3. // $valid_ip is TRUE   
    4.   
    5. $ip = "127.0.1.1.1.1";   
    6. $valid_ip = filter_var($ip, FILTER_VALIDATE_IP);   
    7. // $valid_ip is FALSE  

    That's how simple it is to use filter_var. For a complete list of all the rules you can check against, see the end of this tutorial.

    Sanitizing Example

    Below is a quick example of sanitizing input from two fields: an email field and a home page field. This example will remove any characters that should not occur in either type of data.

    view plaincopy to clipboardprint?
    1. <?php   
    2.     if (isset($_POST['email'])) {   
    3.         echo filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   
    4.         echo "<br/><br/>";   
    5.     }   
    6.   
    7.     if (isset($_POST['homepage'])) {   
    8.         echo filter_var($_POST['homepage'], FILTER_SANITIZE_URL);   
    9.         echo "<br/><br/>";   
    10.     }   
    11. ?>   
    12.   
    13. <form name="form1" method="post" action="form-sanitize.php">   
    14.     Email Address: <br/>   
    15.     <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>   
    16.     Home Page: <br/>   
    17.     <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>   
    18.     <br/>   
    19.     <input type="submit" />   
    20. </form>  

    By using the FILTER_SANITIZE_EMAIL and FILTER_SANITIZE_URL constants definited by PHP, the guess work of knowing what characters are illegal is gone.

    Validating Example

    Just because the data is sanitized does not ensure that it's properly formatted. In the example below, the data did not need to be sanitized, but it's obvious that the user input is not an email or url.

    In order to ensure the data is properly formatted, it needs to be validated.

    view plaincopy to clipboardprint?
    1. <?php   
    2.     if (isset($_POST['email'])) {   
    3.         $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   
    4.         if (filter_var($email, FILTER_VALIDATE_EMAIL)) {   
    5.             echo "$email is a valid email address.<br/><br/>";    
    6.         } else {   
    7.             echo "$email is <strong>NOT</strong> a valid email address.<br/><br/>";   
    8.         }   
    9.     }   
    10.   
    11.     if (isset($_POST['homepage'])) {   
    12.         $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);   
    13.         if (filter_var($homepage, FILTER_VALIDATE_URL)) {   
    14.             echo "$homepage is a valid URL.<br/><br/>";   
    15.         } else {   
    16.             echo "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";   
    17.         }   
    18.     }   
    19. ?>   
    20.   
    21. <form name="form1" method="post" action="form-validate.php">   
    22. Email Address: <br/>   
    23. <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>   
    24. Home Page: <br/>   
    25. <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/>   
    26. <br/>   
    27. <input type="submit" />   
    28. </form>  

    Now that the data has been validated, you can be sure that the information submitted is exactly what you're looking for.

    Putting It All Together: An Email Submit Form

    Now that data sanitation and validation have been covered, we'll put those skills to use with a quick email submission form. This will by no means be of production quality -- for example, no form should require a home page -- but it'll work perfect for this tutorial. The form will take 4 pieces of information:

    • Name
    • Email Address
    • Home Page
    • Message

    We'll sanitize and validate against all 4 pieces of data and only send the email if they are all valid. If anything is invalid, or if any fields are blank, the form will be presented to user along with a list of items to fix. We'll also return the sanitized data to the user in case they are unaware that certain characters are illegal.

    Step 1 - Creating the Form

    For the first step, simply create a form element with 5 fields: the for listed above and a submit button:

    view plaincopy to clipboardprint?
    1. <form name="form1" method="post" action="form-email.php">   
    2.     Name: <br/>   
    3.     <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>   
    4.     Email Address: <br/>   
    5.     <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>   
    6.     Home Page: <br/>   
    7.     <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>   
    8.     Message: <br/>   
    9.     <textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>   
    10.     <br/>   
    11.     <input type="submit" name="Submit" />   
    12. </form>  

    Step 2 - Determine if the Form was Submitted

    You can check to see if a form was submitted by seeing if the submit button was "set". Place the following code above your form:

    view plaincopy to clipboardprint?
    1. if (isset($_POST['Submit'])) {   
    2.   
    3. }  

    Step 3 - Validating the Name and Message Field

    Since both the name and message fields will be sanitized and validated the same, we'll do them together. First, check to see if either field is blank by doing the following:

    view plaincopy to clipboardprint?
    1. if ($_POST['name'] == "")   
    2.   
    3. if ($_POST['message'] == "")  

    Next, sanitize them with the FILTER_SANITIZE_STRING constant

    view plaincopy to clipboardprint?
    1. $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);   
    2.   
    3. $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);  

    Finally, check to make sure that the two fields still are not blank. This is to ensure that after removing all illegal characters, you are not left with a blank field:

    view plaincopy to clipboardprint?
    1. if ($_POST['name'] == "")   
    2.   
    3. if ($_POST['message'] == "")  

    We won't do any validation on these two fields simply because there is no absolute way to validate against a Name or arbitrary message.

    The final code looks like this:

    view plaincopy to clipboardprint?
    1. if ($_POST['name'] != "") {   
    2.     $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);   
    3.     if ($_POST['name'] == "") {   
    4.         $errors .= 'Please enter a valid name.<br/><br/>';   
    5.     }   
    6. else {   
    7.     $errors .= 'Please enter your name.<br/>';   
    8. }   
    9.   
    10. if ($_POST['message'] != "") {   
    11.     $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);   
    12.     if ($_POST['message'] == "") {   
    13.         $errors .= 'Please enter a message to send.<br/>';   
    14.     }   
    15. else {   
    16.     $errors .= 'Please enter a message to send.<br/>';   
    17. }  

    Step 4 -- Validate the Email Field

    The email field will be sanitized and validated just as it was earlier in the tutorial.

    First, check to make sure it is not blank:

    view plaincopy to clipboardprint?
    1. if ($_POST['email'] != "")  

    Next, sanitize it:

    view plaincopy to clipboardprint?
    1. $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);  

    Finally, validate it as a true email address:

    view plaincopy to clipboardprint?
    1. if (!filter_var($email, FILTER_VALIDATE_EMAIL))  

    The final code looks like this:

    view plaincopy to clipboardprint?
    1. if ($_POST['email'] != "") {   
    2.     $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   
    3.     if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {   
    4.         $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";   
    5.     }   
    6. else {   
    7.     $errors .= 'Please enter your email address.<br/>';   
    8. }  

    Step 5 -- Validate the Home Page Field

    Again, the home page field will be sanitized and validated the same way as earlier in the tutorial.

    First, make sure it is not blank:

    view plaincopy to clipboardprint?
    1. if ($_POST['homepage'] != "")  

    Next, sanitize it and remove any illegal characters:

    view plaincopy to clipboardprint?
    1. $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL)  

    Finally, validate it to make sure it's a true URL:

    view plaincopy to clipboardprint?
    1. if (!filter_var($homepage, FILTER_VALIDATE_URL))  

    The final code looks like this:

    view plaincopy to clipboardprint?
    1. if ($_POST['homepage'] != "") {   
    2.     $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);   
    3.     if (!filter_var($homepage, FILTER_VALIDATE_URL)) {   
    4.         $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";   
    5.     }   
    6. else {   
    7.     $errors .= 'Please enter your home page.<br/>';   
    8. }  

    Step 6 -- Check for Errors and Send the Message

    Now that we've gone through all fields, it's time to either report the errors or send the message. Start off by assuming there were no errors:

    view plaincopy to clipboardprint?
    1. if (!$errors) {  

    Then build the email message:

    view plaincopy to clipboardprint?
    1. $mail_to = 'me@somewhere.com';   
    2. $subject = 'New Mail from Form Submission';   
    3. $message  = 'From: ' . $_POST['name'] . "\n";   
    4. $message .= 'Email: ' . $_POST['email'] . "\n";   
    5. $message .= 'Homepage: ' . $_POST['homepage'] . "\n";   
    6. $message .= "Message:\n" . $_POST['message'] . "\n\n";  

    And finally, send the message:

    view plaincopy to clipboardprint?
    1. mail($to$subject$message);  

    However, if there were any errors, report them and have the user try again:

    view plaincopy to clipboardprint?
    1. echo '<div style="color: red">' . $errors . '<br/></div>';  

    The completed project looks like this:

    view plaincopy to clipboardprint?
    1. <?php   
    2.   
    3.     if (isset($_POST['Submit'])) {   
    4.   
    5.         if ($_POST['name'] != "") {   
    6.             $_POST['name'] = filter_var($_POST['name'], FILTER_SANITIZE_STRING);   
    7.             if ($_POST['name'] == "") {   
    8.                 $errors .= 'Please enter a valid name.<br/><br/>';   
    9.             }   
    10.         } else {   
    11.             $errors .= 'Please enter your name.<br/>';   
    12.         }   
    13.   
    14.         if ($_POST['email'] != "") {   
    15.             $email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);   
    16.             if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {   
    17.                 $errors .= "$email is <strong>NOT</strong> a valid email address.<br/><br/>";   
    18.             }   
    19.         } else {   
    20.             $errors .= 'Please enter your email address.<br/>';   
    21.         }   
    22.   
    23.         if ($_POST['homepage'] != "") {   
    24.             $homepage = filter_var($_POST['homepage'], FILTER_SANITIZE_URL);   
    25.             if (!filter_var($homepage, FILTER_VALIDATE_URL)) {   
    26.                 $errors .= "$homepage is <strong>NOT</strong> a valid URL.<br/><br/>";   
    27.             }   
    28.         } else {   
    29.             $errors .= 'Please enter your home page.<br/>';   
    30.         }   
    31.   
    32.         if ($_POST['message'] != "") {   
    33.             $_POST['message'] = filter_var($_POST['message'], FILTER_SANITIZE_STRING);   
    34.             if ($_POST['message'] == "") {   
    35.                 $errors .= 'Please enter a message to send.<br/>';   
    36.             }   
    37.         } else {   
    38.             $errors .= 'Please enter a message to send.<br/>';   
    39.         }   
    40.   
    41.         if (!$errors) {   
    42.             $mail_to = 'me@somewhere.com';   
    43.             $subject = 'New Mail from Form Submission';   
    44.             $message  = 'From: ' . $_POST['name'] . "\n";   
    45.             $message .= 'Email: ' . $_POST['email'] . "\n";   
    46.             $message .= 'Homepage: ' . $_POST['homepage'] . "\n";   
    47.             $message .= "Message:\n" . $_POST['message'] . "\n\n";   
    48.             mail($to$subject$message);   
    49.   
    50.             echo "Thank you for your email!<br/><br/>";   
    51.         } else {   
    52.             echo '<div style="color: red">' . $errors . '<br/></div>';   
    53.         }   
    54.     }   
    55. ?>   
    56.   
    57. <form name="form1" method="post" action="form-email.php">   
    58. Name: <br/>   
    59. <input type="text" name="name" value="<?php echo $_POST['name']; ?>" size="50" /><br/><br/>   
    60. Email Address: <br/>   
    61. <input type="text" name="email" value="<?php echo $_POST['email']; ?>" size="50"/> <br/><br/>   
    62. Home Page: <br/>   
    63. <input type="text" name="homepage" value="<?php echo $_POST['homepage']; ?>" size="50" /> <br/><br/>   
    64. Message: <br/>   
    65. <textarea name="message" rows="5" cols="50"><?php echo $_POST['message']; ?></textarea>   
    66. <br/>   
    67. <input type="submit" name="Submit" />   
    68. </form>  

    Summary

    I hope reading this tutorial gave you a good introduction to PHP's new data filtering features. There are still many more functions and rules that were not covered, so if you're interested in learning more, please see the Data Filtering section in the PHP manual.

    discuss this topic to forum

    [Print][Close][Bookmark:digg+,reddit+,del.icio.us+,dzone+]

    relation tutorial

    No information

    Category

      Ad Management (6)
      Calendars (3)
      Chat Systems (8)
      Content Management (46)
      Cookies and Sessions (12)
      Counters (16)
      Database Related (36)
      Date and Time (15)
      Development (26)
      Discussion Boards (8)
      E Commerce (9)
      Email Systems (15)
      Error Handling (8)
      File Manipulation (38)
      Flash and PHP (6)
      Form Processing (25)
      Guestbooks (13)
      Image Manipulation (26)
      Installing PHP (7)
      Introduction to PHP (31)
      Link Indexing (9)
      Mailing List Management (9)
      Miscellaneous (62)
      Networking (9)
      News Publishing (9)
      OOP (28)
      PEAR (6)
      PHP vs Other Languages (2)
      Polls and Voting (7)
      Postcards (1)
      Randomizing (15)
      Redirection (12)
      Searching (10)
      Security (32)
      Site Navigation (16)
      User Authentication (16)
      WAP and WML (7)
      Web Fetching (10)
      Web Traffic Analysis (15)
      XML and PHP (18)

    New

    Hot

    JCWcn.com
    Copyright © 2007 All rights reserved