Sanitizing user input is an essential part of securing PHP applications. PHP sanitize filters remove unwanted or potentially harmful characters from user data, helping prevent security risks such as Cross-Site Scripting (XSS) and malformed input handling.
PHP provides filter_var() to sanitize data using predefined filter constants.
Syntax:
filter_var(value, filter, options)
// Sanitizing different types of user input using PHP filters
$email = "john.doe@example..com";
$url = "http://www.example.com/<script>alert('hack');</script>";
$dirty_string = "<h1>Hello World!</h1><script>alert('hack');</script>";
$number = "12345abc6789";
$float = "12.34abc56.78";
$sanitized_email = filter_var($email, FILTER_SANITIZE_EMAIL);
$sanitized_url = filter_var($url, FILTER_SANITIZE_URL);
$sanitized_string = filter_var($dirty_string, FILTER_SANITIZE_STRING);
$sanitized_number = filter_var($number, FILTER_SANITIZE_NUMBER_INT);
$sanitized_float = filter_var($float, FILTER_SANITIZE_NUMBER_FLOAT, FILTER_FLAG_ALLOW_FRACTION);
echo $sanitized_email;
echo $sanitized_url;
echo $sanitized_string;
echo $sanitized_number;
echo $sanitized_float;
Each sanitize filter removes unwanted characters:
Think of sanitization as a filter sieve ? — unsafe characters fall through, while safe characters remain usable for your application.