Input Validation in PHP

By: Andi, Stig and Derick  

One essential technique to protect your web site from users is input validation, which is an impressive term that doesn’t mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data.

First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as global variables in your script; the high error_level setting will enable notices for uninitialized variables.

For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:


$product_id = (int) $_GET['prod_id'];


Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn’t exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be


if (!isset($_GET['prod_id'])) {

die ("Error, product ID was not set");


$product_id = (int) $_GET['prod_id'];


However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example:


function sanitize_vars(&$vars, $signatures, $redir_url = null)


$tmp = array();

/* Walk through the signatures and add them to the temporary

* array $tmp */

foreach ($signatures as $name => $sig) {

if (!isset($vars[$name]]) &&

isset($sig['required']) && $sig['required'])


/* redirect if the variable doesn't exist in the array */

if ($redir_url) {

header("Location: $redir_url");

} else {

echo 'Parameter $name not present and no redirect URL';




/* apply type to variable */

$tmp[$name] = $vars[$name];

if (isset($sig['type'])) {

settype($tmp[$name], $sig['type']);


/* apply functions to the variables, you can use the standard PHP

* functions, but also use your own for added flexibility. */

if (isset($sig['function'])) {

$tmp[$name] = {$sig['function']}($tmp[$name]);



$vars = $tmp;


$sigs = array(

'prod_id' => array('required' => true, 'type' => 'int'),

'desc' => array('required' => true, 'type' => 'string',

'function' => 'addslashes')


sanitize_vars(&$_GET, $sigs,

"http:// {$_SERVER['SERVER_NAME']}/error.php?cause=vars");


Archived Comments

1. Paragraph writing is also a fun, if you know afterward you can write or else it is difficult tto wri
View Tutorial          By: barcelona escorts at 2017-05-17 23:15:38

2. JasonNix
View Tutorial          By: JasonNix at 2017-03-11 04:48:57

3. liaidlizefish56
View Tutorial          By: liaidlizefish70 at 2017-03-08 08:57:19

4. Type error : if (!isset($vars[$name]]) &&
has to be: if (!isset($vars[$name]) &

View Tutorial          By: Penko at 2010-07-03 11:11:56

Most Viewed Articles (in PHP )

.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

Different versions of PHP - History and evolution of PHP

Warning: session_start(): open .... failed - PHP error


PHP 5.1.4 INSTALLATION on Solaris 9 (Sparc)

Building PHP 5.x with Apache2 on SuSE Professional 9.1/9.2

Installing PHP 5.x with Apache 2.x on HP UX 11i and configuring PHP 5.x with Oracle 9i

Cannot load /usr/local/apache/libexec/ into server:

Setting up PHP in Windows 2003 Server IIS7, and WinXP 64

error: "Service Unavailable" after installing PHP to a Windows XP x64 Pro

Running different websites on different versions of PHP in Windows 2003 & IIS6 platform

Function to return number of digits of an integer in PHP

Function to sort array by elements and count of element in PHP

Function to force strict boolean values in PHP

Function to convert strings to strict booleans in PHP

Latest Articles (in PHP)

Comment on this tutorial