Skip to main content

Prevent Malicious User Inputs In PHP Form

A professional website always must have a way to receive user inputs either in the form of a comment column or in the form of a user input form. It is a must for successful websites to receive feedback from their users but some malicious persons use this option to inject malicious scripts to the website. If the data entered by the user is directly inserted into the database, the situation is very critical. Luckily, PHP has some built-in functions to validate the data inserted by a user using the user input form. Before explaining those functions, it is better to understand the effects of tricky external credentials.

Effects of Malicious User Inputs on a Website

Though a PHP address form is intended to receive user details like name, address etc, it will take every string submitted unless we don't implement strict validation. If someone enters a script instead of name, it is possible that the form will accept it unless there is a validation. It will be extremely dangerous if we use the same input for any data base query.

Built in PHP Functions To Validate User Inputs Though Form

Here is the list of three important functions which validates data entered through a PHP form.

  1. Trim() :

    Trim() function is used to remove any extra space, new line etc from the form inputs. Every text filed values must be passed through trim() function before taking the input for operations.

  2. htmlspecialchars()

    Htmlspecialchars() function will convert any HTML element in the user string to HTML escaped characters and prevent it from executing the code.

  3. stripslashes()

    This function removes backslashes (\) from the user input data.

By the combined use of these three functions, we can reduce the risk of taking user input through PHP form. Now let us check how to implement these three functions in our code.

Implementation of PHP Form Validation In a Code

Let us consider the username received through a PHP form is $_POST["username"];. We need to pass the value to a variable like $user=$_POST["username"]; Right now we do not know whether the input is harmless. So we need to create a custom function by using the three functions explained before.

function validate($x)
   $x= trim($x);
    $x= stripslashes($x);
    $x= htmlspecialchars($x);
    return $x;


Now the user inputs must be sanitized using the custom function we have created. For example, we are going to validate the $user using the function validate().


Related Articles
  1. Multiple Article Submission Penalty

  2. Web Traffic Vs AdSense Earnings

  3. Optimize Blogger Template

  4. How to Calculate CPC


About Author

My photo
Alex George
Alex George has Engineering graduation in Computer Science and an MBA in Finance. He had been working as a senior Network Engineer for ten years. His specialization is in Cisco products. Traveling is one of his hobbies and visited various places as part of his onsite work. He visited different places as part of his onsite work like New York, Dubai, London, etc. Right now Alex is a director of one of the leading career development firms in India, which trains students for UPSC, SSC, and PSC examinations. He guides a lot of students to get selection for various prestigious institutions like CBI, Income Tax Department, etc. Alex George is a stock market investor and a very active intraday trader. Engineering Background: He has a B.Tech in Computer Science and Engineering and passed different network and security courses like CCNA, CCNP (Security), CEH, and various Microsoft certifications. Finance Background: Alex has an MBA in Finance. He is an active intraday trader and a Share Market Investor. Webmaster Skills: Alex is a blogger since 2004. He has a working knowledge of HTML, CSS, PHP, and JavaScrip.