How to Properly Sanitize User Input in PHP

Sanitizing user input is critical to protecting web applications from threats such as SQL injection and cross-site scripting (XSS). However, it is important to understand that there is no “catchall” function for all types of input sanitization in PHP, as different contexts require different approaches.

This blog post explores various methods for sanitizing input and securing your PHP application, covering SQL injection, XSS prevention, and safely handling user input in different contexts.

1. SQL Injection: Use Prepared Statements

The best way to avoid SQL injection is not by manually sanitizing input, but by using prepared statements. Prepared statements separate SQL code from the user data, ensuring that user inputs are treated as data, not executable code.

Example with PDO:

// Secure database interaction using prepared statements
$pdo = new PDO('mysql:host=localhost;dbname=testdb', 'user', 'password');
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = ?");
$stmt->execute([$_POST['email']]);  // Securely bind user input
$user = $stmt->fetch();

In this example, the prepared statement ensures that the user input (email) cannot alter the SQL query, thus preventing SQL injection.

2. XSS Prevention: Escaping Output

Cross-site scripting (XSS) occurs when user input is rendered as part of HTML without proper escaping. To prevent this, always escape user-generated content before outputting it to the browser.

Using htmlspecialchars():

// Sanitize output to prevent XSS attacks
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');

This function converts special characters like <, >, " and ' into their HTML-safe equivalents, ensuring that malicious scripts cannot be executed.

3. Validating and Sanitizing User Input

It’s important to validate input before processing it. PHP provides built-in functions that help you validate and sanitize different types of data.

Validating Email Addresses:

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
if ($email === false) {
    echo "Invalid email address.";
} else {
    // Proceed with a valid email
}

Sanitizing a String:

$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);

This removes any potentially harmful characters from the input string, making it safe to use in output contexts.

4. Handling HTML Input: Using Libraries

If your application needs to allow users to input HTML (e.g., for a WYSIWYG editor), you must use a robust HTML sanitization library rather than relying on custom regex or basic functions like strip_tags().

Using HTML Purifier:

require_once 'HTMLPurifier.auto.php';
$config = HTMLPurifier_Config::createDefault();
$purifier = new HTMLPurifier($config);
$safeHtml = $purifier->purify($userHtmlInput);

This library ensures that user-provided HTML is clean, removing potentially harmful tags or attributes that could lead to XSS attacks.

5. Command Injection Prevention: Escaping Shell Commands

If your PHP code needs to execute shell commands based on user input, you must sanitize the input to avoid command injection.

Using escapeshellarg():

$input = escapeshellarg($userInput);
exec("ls $input");

This escapes any potentially dangerous characters, preventing the user from executing malicious commands.

6. JSON Output: Using json_encode()

When passing user input to JavaScript, always use json_encode() to safely encode the data.

Example:

$data = ['username' => $userInput];
echo json_encode($data);

This ensures that special characters are escaped properly, preventing injection of arbitrary JavaScript code.

7. Avoiding Magic Quotes

PHP used to have a feature called magic quotes that automatically escaped input data. This feature is deprecated and should be avoided. Always sanitize and escape data manually using the appropriate methods.

---

8. Filtering Input: Best Practices

• Input validation: Ensure user input meets specific criteria (e.g., only allow email addresses, integers, etc.).
• Sanitize early, escape late: Sanitize data when accepting input, but always escape it before output, depending on the context.
• Use built-in functions: Functions like filter_var() and libraries like HTML Purifier are reliable ways to sanitize user input.

Sanitizing user input in PHP involves different strategies based on the context in which the input will be used. Always:

• Use prepared statements for SQL queries.
• Escape HTML output with htmlspecialchars() to prevent XSS.
• Use robust input validation techniques with PHP’s filter_var() or filter_input().
• For complex HTML sanitization, use dedicated libraries like HTML Purifier.

By following these best practices, you can effectively secure your PHP applications from common vulnerabilities like SQL injection and XSS.