PHP

Robust Server-Side Input Validation in PHP

Implement comprehensive server-side input validation in PHP to ensure data integrity, prevent common injection attacks, and enhance application security.

<?php
function validate_input($data, $type, $options = []) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data, ENT_QUOTES, 'UTF-8'); // Basic XSS prevention for output, but validation is broader.

    switch ($type) {
        case 'string':
            $min_length = $options['min_length'] ?? 1;
            $max_length = $options['max_length'] ?? 255;
            if (strlen($data) < $min_length || strlen($data) > $max_length) {
                return false; // Length violation
            }
            return $data;

        case 'email':
            if (filter_var($data, FILTER_VALIDATE_EMAIL)) {
                return $data;
            }
            return false;

        case 'integer':
            if (filter_var($data, FILTER_VALIDATE_INT, $options)) {
                return (int)$data;
            }
            return false;

        case 'url':
            if (filter_var($data, FILTER_VALIDATE_URL)) {
                return $data;
            }
            return false;

        case 'boolean':
            if (filter_var($data, FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE) !== null) {
                return (bool)$data;
            }
            return false;

        default:
            return false; // Unknown validation type
    }
}

// Example Usage:
$username = $_POST['username'] ?? '';
$email = $_POST['email'] ?? '';
$age = $_POST['age'] ?? '';

$validated_username = validate_input($username, 'string', ['min_length' => 3, 'max_length' => 50]);
$validated_email = validate_input($email, 'email');
$validated_age = validate_input($age, 'integer', ['options' => ['min_range' => 18, 'max_range' => 99]]);

if ($validated_username === false) {
    echo "Invalid username.
";
}
if ($validated_email === false) {
    echo "Invalid email.
";
}
if ($validated_age === false) {
    echo "Invalid age.
";
}

// If all validations pass, proceed with data.
if ($validated_username !== false && $validated_email !== false && $validated_age !== false) {
    echo "All inputs are valid!
";
    // Proceed to use $validated_username, $validated_email, $validated_age (e.g., save to database)
}
How it works: This PHP snippet demonstrates robust server-side input validation. It cleans input using `trim`, `stripslashes`, and `htmlspecialchars` for basic sanitization, then performs type-specific validation. It uses `filter_var` for emails, integers, URLs, and booleans, which provides strong type and format checking. For strings, it checks against defined minimum and maximum lengths. Server-side validation is critical because client-side checks can be bypassed, ensuring that only correctly formatted and safe data reaches your application's logic and database, preventing common vulnerabilities like data corruption, buffer overflows, and some forms of injection attacks.

Related PHP Snippets

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs