PHP Filters & Validation

Validating and sanitizing external data is one of the most important aspects of web security. You should **never trust user input**. PHP filters are used to check if the data is in the correct format (Validation) and to remove illegal characters (Sanitization).

Validation vs. Sanitization

• Validation: Determines if the data is in the proper form (e.g., Is this a real email address? Is this an integer?). It returns true or false.
• Sanitization: Removes any illegal or potentially harmful characters from the data (e.g., removing HTML tags from a comment). It returns the "clean" string.

The filter_var() Function

The filter_var() function is the primary way to use filters in PHP. It takes the variable you want to check and the type of filter to apply.

1. Validating an Email

<?php
    $email = "john.doe@example.com";

    if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
        echo("$email is a valid email address");
    } else {
        echo("$email is not a valid email address");
    }
?>

2. Sanitizing and Validating a URL

<?php
    $url = "https://www.redohub.com";

    // Remove illegal characters from URL
    $url = filter_var($url, FILTER_SANITIZE_URL);

    // Validate URL
    if (filter_var($url, FILTER_VALIDATE_URL)) {
        echo("$url is a valid URL");
    } else {
        echo("$url is not a valid URL");
    }
?>

Commonly Used Filters

Why is Filtering Important?

• Security: Prevents XSS, SQL Injection, and other malicious attacks.
• Data Integrity: Ensures your database contains clean, properly formatted information.
• User Experience: Catch errors early and provide helpful feedback to users before they submit a form.

Summary

• Validation checks if data is correct.
• Sanitization cleans data.
• filter_var() is the main function for filtering.
• Never trust external data (User Input).