Use filter_var() to validate emails, URLs, and IPs; 2. Sanitize inputs with filter_var() and trim(); 3. Apply regex for custom rules like passwords; 4. Check form submission with isset() and empty(); 5. Validate file size, type, and store securely.
1. Validate Form Data Using Filter Functions
The filter_var() function in PHP provides a built-in way to validate data such as emails, URLs, and IP addresses. It uses predefined filters to check if the input matches expected formats.
- Use filter_var($email, FILTER_VALIDATE_EMAIL) to verify if an email address is correctly formatted
- Apply filter_var($url, FILTER_VALIDATE_URL) for validating web addresses
- Utilize filter_var($ip, FILTER_VALIDATE_IP) to confirm valid IP address entries
Always sanitize after validation when processing user inputs for databases or outputs
2. Sanitize Input with Filter Sanitization
Sanitizing removes or encodes unwanted characters from input without rejecting it entirely. This step ensures potentially harmful content like script tags doesn't pass through.
- Use filter_var($input, FILTER_SANITIZE_STRING) to strip HTML and PHP tags from text
- Apply filter_var($input, FILTER_SANITIZE_SPECIAL_CHARS) to convert special characters into HTML entities
- Combine sanitization with trimming using trim() to remove extra whitespace
Sanitization does not replace validation — always validate after sanitizing when strict format compliance is required
立即学习“PHP免费学习笔记(深入)”;
3. Implement Custom Validation Logic with Regular Expressions
For complex rules like password strength or custom ID formats, regular expressions offer precise control over pattern matching within strings.
- Use preg_match('/^[a-zA-Z0-9]{8,}$/', $password) to enforce minimum 8-character alphanumeric passwords
- Create patterns for phone numbers: preg_match('/^\+?[0-9]{10,15}$/', $phone)
- Validate usernames with allowed characters only: preg_match('/^[a-z_][a-z0-9_]*$/', $username)
Test regex patterns thoroughly — small errors can allow invalid or malicious input
4. Use isset() and empty() to Check Submission Status
Before processing any form field, ensure the data was actually submitted and contains meaningful values. These functions help prevent undefined index warnings.
- Check if a POST variable exists using isset($_POST['field_name'])
- Determine if a value has content via !empty($_POST['field_name'])
- Combine both checks: if (isset($_POST['submit']) && !empty($_POST['email'])) { ... }
Never assume form data exists — always verify presence before accessing
5. Secure File Uploads Through Type and Size Validation
When handling file uploads, validate both the file type and size on the server side, as client-side checks can be bypassed easily.
- Check $_FILES['file']['size'] against a maximum limit like 2MB
- Verify MIME type using finfo_file(finfo_open(FILEINFO_MIME_TYPE), $_FILES['file']['tmp_name'])
- Restrict allowed extensions by comparing against a whitelist array
- Store uploaded files outside the web root or rename them to prevent execution
Never trust the 'type' attribute from $_FILES — always inspect the actual file content
