To validate user input in PHP, use built-in validation functions like filter_var() and filter_input(), apply regular expressions for custom formats such as usernames or phone numbers, check data types for numeric values like age or price, set length limits and trim whitespace to prevent layout and database issues. These steps ensure security, data integrity, and a better user experience by preventing vulnerabilities and unexpected behavior.

Validating user input in PHP is crucial for security, data integrity, and a better user experience. Whether you're handling form submissions, API requests, or any kind of user-generated data, making sure that the input meets expected criteria helps prevent bugs and vulnerabilities like SQL injection or XSS attacks.

Use Built-in PHP Validation Functions

PHP comes with some handy built-in functions specifically designed for input validation. The most commonly used are filter_var() and filter_input().

For example:

$email = $_POST['email'];

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // valid email
} else {
    // invalid email
}

These functions support various filters like validating emails, URLs, IPs, etc., and can even sanitize inputs before use.

Some common validations using filter_var():

• Validate email: FILTER_VALIDATE_EMAIL
• Validate URL: FILTER_VALIDATE_URL
• Validate IP address: FILTER_VALIDATE_IP
• Sanitize string: FILTER_SANITIZE_STRING (though note this is deprecated as of PHP 8.1)

Using these built-in tools gives you a solid starting point without reinventing the wheel.

Check for Data Type and Format Manually When Needed

Sometimes built-in filters aren’t enough, especially when dealing with custom formats like phone numbers, postal codes, or specific text patterns.

In those cases, regular expressions (preg_match) come in handy. For instance, if you want to make sure a username only contains letters and numbers:

$username = $_POST['username'];

if (preg_match('/^[a-zA-Z0-9]{3,20}$/', $username)) {
    // valid username
} else {
    // invalid username
}

Also, always check for correct data types when receiving values like age, price, or quantity:

$age = $_POST['age'];

if (is_numeric($age) && $age > 0 && $age < 150) {
    // valid age
}

This step helps avoid unexpected behavior in your logic or database.

Set Length Limits and Trim Input

It's easy to overlook how long an input might be. While HTML forms can restrict length on the front end, it’s still important to enforce limits server-side too.

Trim whitespace from beginning and end of strings using trim() — especially for usernames, emails, or passwords.

Example:

$name = trim($_POST['name']);

if (strlen($name) < 2 || strlen($name) > 50) {
    // show error
}

This helps prevent issues like:

• Very long entries causing layout problems
• Empty spaces accidentally submitted
• Database field size mismatches

Also consider limiting max lengths for things like passwords — there's no need to store extremely long passwords since they'll likely just be hashed anyway.

That’s basically how you handle basic input validation in PHP. It doesn't have to be complicated, but skipping these steps can lead to real problems down the line.

The above is the detailed content of How do I validate user input in PHP to ensure it meets certain criteria?. For more information, please follow other related articles on the PHP Chinese website!