Use filter_var() to validate emails, URLs, and IPs; 2. Sanitize inputs with filter_var() and trim(); 3. Apply regex for custom rules like passwords; 4. Check form submission with isset() and empty(); 5. Validate file size, type, and store securely.
1. Validate Form Data Using Filter Functions
The filter_var() function in PHP provides a built-in way to validate data such as emails, URLs, and IP addresses. It uses predefined filters to check if the input matches expected formats.
- Use filter_var($email, FILTER_VALIDATE_EMAIL) to verify if an email address is correctly formatted
- Apply filter_var($url, FILTER_VALIDATE_URL) for validating web addresses
- Utilize filter_var($ip, FILTER_VALIDATE_IP) to confirm valid IP address entries
Always sanitize after validation when processing user inputs for databases or outputs
2. Sanitize Input with Filter Sanitization
Sanitizing removes or encodes unwanted characters from input without rejecting it entirely. This step ensures potentially harmful content like script tags doesn't pass through.
- Use filter_var($input, FILTER_SANITIZE_STRING) to strip HTML and PHP tags from text
- Apply filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS) to convert special characters into HTML entities
- Combine sanitization with trimming using trim() to remove extra whitespace
Sanitization does not replace validation — always validate after sanitizing when strict format compliance is required
立即学习“PHP免费学习笔记(深入)”;
3. Implement Custom Validation Logic with Regular Expressions
For complex rules like password strength or custom ID formats, regular expressions offer precise control over pattern matching within strings.
动态WEB网站中的PHP和MySQL详细反映实际程序的需求,仔细地探讨外部数据的验证(例如信用卡卡号的格式)、用户登录以及如何使用模板建立网页的标准外观。动态WEB网站中的PHP和MySQL的内容不仅仅是这些。书中还提到如何串联JavaScript与PHP让用户操作时更快、更方便。还有正确处理用户输入错误的方法,让网站看起来更专业。另外还引入大量来自PEAR外挂函数库的强大功能,对常用的、强大的包
- Use preg_match('/^[a-zA-Z0-9]{8,}$/', $password) to enforce minimum 8-character alphanumeric passwords
- Create patterns for phone numbers: preg_match('/^\+?[0-9]{10,15}$/', $phone)
- Validate usernames with allowed characters only: preg_match('/^[a-z_][a-z0-9_]*$/', $username)
Test regex patterns thoroughly — small errors can allow invalid or malicious input
4. Use isset() and empty() to Check Submission Status
Before processing any form field, ensure the data was actually submitted and contains meaningful values. These functions help prevent undefined index warnings.
- Check if a POST variable exists using isset($_POST['field_name'])
- Determine if a value has content via !empty($_POST['field_name'])
- Combine both checks: if (isset($_POST['submit']) && !empty($_POST['email'])) { ... }
Never assume form data exists — always verify presence before accessing
5. Secure File Uploads Through Type and Size Validation
When handling file uploads, validate both the file type and size on the server side, as client-side checks can be bypassed easily.
- Check $_FILES['file']['size'] against a maximum limit like 2MB
- Verify MIME type using finfo_file(finfo_open(FILEINFO_MIME_TYPE), $_FILES['file']['tmp_name'])
- Restrict allowed extensions by comparing against a whitelist array
- Store uploaded files outside the web root or rename them to prevent execution
Never trust the 'type' attribute from $_FILES — always inspect the actual file content
