Input Validation in PHP

By: Andi, Stig and Derick  

One essential technique to protect your web site from users is input validation, which is an impressive term that doesn’t mean much at all. The term simply means that you need to check all input that comes from the user, whether the data comes from cookies, GET, or POST data.

First, turn off register_globals in php.ini and set the error_level to the highest possible value (E_ALL | E_STRICT). The register_globals setting stops the registration of request data (Cookie, Session, GET, and POST variables) as global variables in your script; the high error_level setting will enable notices for uninitialized variables.

For different kinds of input, you can use different methods. For instance, if you expect a parameter passed with the HTTP GET method to be an integer, force it to be an integer in your script:


$product_id = (int) $_GET['prod_id'];


Everything other than an integer value is converted to 0. But, what if $_GET['prod_id'] doesn’t exist? You will receive a notice because we turned the error_level setting up. A better way to validate the input would be


if (!isset($_GET['prod_id'])) {

die ("Error, product ID was not set");


$product_id = (int) $_GET['prod_id'];


However, if you have a large number of input variables, it can be tedious to write this code for each and every variable separately. Instead, you might want to create and use a function for this, as shown in the following example:


function sanitize_vars(&$vars, $signatures, $redir_url = null)


$tmp = array();

/* Walk through the signatures and add them to the temporary

* array $tmp */

foreach ($signatures as $name => $sig) {

if (!isset($vars[$name]]) &&

isset($sig['required']) && $sig['required'])


/* redirect if the variable doesn't exist in the array */

if ($redir_url) {

header("Location: $redir_url");

} else {

echo 'Parameter $name not present and no redirect URL';




/* apply type to variable */

$tmp[$name] = $vars[$name];

if (isset($sig['type'])) {

settype($tmp[$name], $sig['type']);


/* apply functions to the variables, you can use the standard PHP

* functions, but also use your own for added flexibility. */

if (isset($sig['function'])) {

$tmp[$name] = {$sig['function']}($tmp[$name]);



$vars = $tmp;


$sigs = array(

'prod_id' => array('required' => true, 'type' => 'int'),

'desc' => array('required' => true, 'type' => 'string',

'function' => 'addslashes')


sanitize_vars(&$_GET, $sigs,

"http:// {$_SERVER['SERVER_NAME']}/error.php?cause=vars");


Most Viewed Articles (in PHP )

Installing PHP with nginx-server under windows


PHP 5.1.4 INSTALLATION on Solaris 9 (Sparc)

Building PHP 5.x with Apache2 on SuSE Professional 9.1/9.2

Installing PHP 5.x with Apache 2.x on HP UX 11i and configuring PHP 5.x with Oracle 9i

Cannot load /usr/local/apache/libexec/ into server:

Setting up PHP in Windows 2003 Server IIS7, and WinXP 64

error: "Service Unavailable" after installing PHP to a Windows XP x64 Pro

Running different websites on different versions of PHP in Windows 2003 & IIS6 platform

Function to convert strings to strict booleans in PHP

Convert IP address to integer and back to IP address in PHP

Function to return number of digits of an integer in PHP

Function to force strict boolean values in PHP

Function to sort array by elements and count of element in PHP

PHP pages does not display in IIS 6 with Windows 2003

Latest Articles (in PHP)

Comment on this tutorial