Cleaning PHP input variables before MYSQL insertion

Ensuring that you properly sanitize your PHP input variables is an essential first-step in making your website secure. Unfortunately, thousands of websites and scripts on the internet do not properly filter variables, causing a very large security vulnerability in these websites. This article is designed to help you both understand why you need to filter your variables and how to filter your variables.


Gaining Understanding

This article will provide information related to securing your input variables to keep your site and database secure. This is not an entire run-down related to internet security. The first step in understanding how to secure your input variables, is to understand why they need to be secure. As a developer, you should realize that user input should never be trusted, no matter what the situation is. This, combined with an understanding of how PHP and MySQL work, will give you the tools necessary to secure all of your PHP scripts and forms.

Lets get started by creating a simple HTML form.

<form action="" method="post">
<input type="text" name="fName" maxlength="20" /><br />
<input type="text" name="email" maxlength="50" /><br />
<input type="text" name="age" maxlength="3" /><br />
<input type="submit" value="addUser" /><br />


Right off the bat you should notice that we are limited the number of characters that the user can enter in the input boxes. This is to ensure that the user does not enter a long string that would most likely be for the sole purpose of attempting an SQL Injection attack (look for a follow-up post related to this soon). However, we still need to check the length of values on the server-side with PHP to ensure that the attacker is not submitting a form from another machine.

PHP Sanitization Functions

Some essential built-in PHP functions that you need to know when getting started with PHP input sanitation are:

Your Custom Functions

When sanitizing variables, I find it best to create a specific function for each type of variable that I am sanitizing. For example, a function named sanitizeName will be created for the users’ names and so on. Lets make some functions to sanitize each of our inputs. First we’ll start with the users age, then their name, and finally their email address.

if (isset($_POST['name'])){
  $name = sanitizeName($_POST['name']);
  if ($name == false){
  echo 'Please input a valid name!';
  else {
  // insert MySQL Query Here
function sanitizeName($name){
  if (strlen($name) > 50) {
  return false;
  else if (empty($name)) {
  return false;
  else {
  $name = strip_tags($name);
  $name = mysql_real_escape_string($name);
  return $name;


So first things first, the script checks to see if the POST was submitted. If so, it runs the variable through the sanitizeName function. The function first checks to see if the name is longer than 50 characters. If it is, it returns a false value, signifying it is not valid. Next, it check to make sure that the variable actually has data inside of it. If not, it also returns a false value. Finally, it actually sanitizes the input to ensure that it is safe to place into the database. The following functions work in the same way.

if (isset($_POST['age'])){
  $age = sanitizeAge($_POST['age']);
  function sanitizeAge($age) {
  $age = mysql_real_escape_string(intval(strip_tags($age)));
 return $age;


This function is very similar to the previous one, however you might notice the intval() function, which ensures that the value being checked is turned into an integer, since an age should always be an integer. intval() is pretty good at ensuring that there are no unwanted values in the variable, the strip_tags and mysql_real_escape_string functions are just for good measure.

For validating email addresses there are numerous regular expressions available on the internet, however there is also a built-in PHP function that does a a pretty good job at this.

if (isset($_POST['email'])){
     $email = sanitizeEmail($_POST['email']);
     function sanitizeEmail($email) {
         $email = filter_var($email, FILTER_VALIDATE_EMAIL);
         return $email;


The filter_validate_email function is criticized by some, but for 99% of sites, it will function perfectly. If you want a perfect solution, you should look into learning about how regular expressions work. I’m going to write a feature on them soon.

I hope this article has helped you learn some techniques and functions that you can use to filter your input variables. I hope you don’t just copy these functions and throw them into your scripts, but instead learn about how each PHP function can be best used and integrated into your project.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s