PHP Form Sanitization – Step-by-Step Guide

What is PHP Form Sanitization?

PHP Form Sanitization is the process of removing or encoding harmful characters from user input to prevent security threats like SQL Injection, Cross-Site Scripting (XSS), and code manipulation.

  •  Prevents XSS attacks
     Stops
  • SQL Injection
  • Enhances data integrity

Basic HTML Form

<form method="POST" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
    <label for="username">Username:</label>
    <input type="text" name="username">

    <label for="email">Email:</label>
    <input type="email" name="email">

    <label for="message">Message:</label>
    <textarea name="message"></textarea>

    <input type="submit" value="Submit">
</form>

Handling Form Data in PHP

Step 1: Initialize Variables

$username = $email = $message = "";

Step 2: Sanitize Input

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = sanitizeInput($_POST["username"]);
    $email = sanitizeEmail($_POST["email"]);
    $message = sanitizeInput($_POST["message"]);
}

Sanitize Functions

function sanitizeInput($data) {
    $data = trim($data);            // Remove extra spaces
    $data = stripslashes($data);    // Remove backslashes
    $data = htmlspecialchars($data); // Convert special characters
    return $data;
}

function sanitizeEmail($email) {
    return filter_var($email, FILTER_SANITIZE_EMAIL); // Removes invalid characters
}

Display the Sanitized Data

echo "<h3>Sanitized Input:</h3>";
echo "Username: $username <br>";
echo "Email: $email <br>";
echo "Message: $message";

Best Practices for Secure Form Sanitization

  • Use htmlspecialchars() to prevent XSS attacks
  • Filter input with filter_var() for email validation
  • Avoid raw database queries – use prepared statements
  • Limit input length to avoid buffer overflow attacks

Complete PHP Form Sanitization Code

<?php
$username = $email = $message = "";

if ($_SERVER["REQUEST_METHOD"] == "POST") {
    $username = sanitizeInput($_POST["username"]);
    $email = sanitizeEmail($_POST["email"]);
    $message = sanitizeInput($_POST["message"]);
}

function sanitizeInput($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

function sanitizeEmail($email) {
    return filter_var($email, FILTER_SANITIZE_EMAIL);
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>PHP Form Sanitization</title>
</head>
<body>
    <form method="POST" action="<?php echo htmlspecialchars($_SERVER['PHP_SELF']); ?>">
        <label for="username">Username:</label>
        <input type="text" name="username">

        <label for="email">Email:</label>
        <input type="email" name="email">

        <label for="message">Message:</label>
        <textarea name="message"></textarea>

        <input type="submit" value="Submit">
    </form>

    <h3>Sanitized Input:</h3>
    <p>Username: <?php echo $username; ?></p>
    <p>Email: <?php echo $email; ?></p>
    <p>Message: <?php echo $message; ?></p>
</body>
</html>