Distressed PHP LogoA recent project had us brushing up our form validation skills. One of the most useful snippets of code in a developer’s arsenal is a solid form validation script; regardless of what is done with data after it is posted through a form, the easiest way for hackers to do damage to your site is through an unvalidated, insecure form. Validating and cleansing data is especially critical if it will be posted to another page or inserted into a database: by neglecting to clean data before storing it in a database, it’s possible for hackers to quite easily tell your script to drop entire tables in your database!

We have always been in the habit of including validation in our simple e-mail scripts and other basic form processing scripts before the data sent by a form is handled as insurance against posting of malicious code. This tutorial will guide you through a very basic piece of code that we use to clean up form submissions. In the future, we’ll be sharing additional tutorials on more detailed form validation, such as checking to see that a user has submitted a valid e-mail address in a field that asks for their e-mail.

The Sanitizing Function

The first thing you should always do before processing any content submitted through free text (i.e. <input type="text"> or <textarea>) fields is check for and neutralize any malicious code sent by someone trying to harm your site or server. This type of hack is by far the most common – and easily prevented. The following code sanitizes content submitted to the function:

function check_input($data) {
	$data = trim($data);
	$data = stripslashes($data);
	$data = htmlspecialchars($data);
	return $data;

In plain English, the check_input() function cleans up $data sent to it through a few steps: first the standard PHP trim() function removes spaces from the beginning and end of the content, along with any line breaks, carriage returns, tabs, etc. (“\n,” “\0,” and the like); next the stripslashes() function takes the trimmed content and removes any backslashes (\) that may be present; then the htmlspecialchars() function transforms any special characters into their HTML code equivalents (“&” will become “&amp;,” “<” will become “&lt;,” and so on); and finally the newly-sanitized content is returned as the value for $data.

Using the Function

To run the cleansing function on data submitted through a form, you would use the following code:

$form_input = check_input($_POST['form_input']);

where “form_input” is the value of the name="" attribute for the input field you would like to sanitize. If you’d like to run the content of multiple fields in a form through the function, your code might look something like this:

$name = check_input($_POST['name']);
$email = check_input($_POST['email']);
$subject = check_input($_POST['subject']);
$message = check_input($_POST['message']);

Once you’ve run the sanitizing function on all the fields you want to check, you can call the clean variables anywhere in the script that performs the action on your form data. If you’re sanitizing the data sent through a basic contact form, like the example above might be doing, you would simply call $name instead of $_POST['name'] anywhere you would like to output the user’s name in the e-mail the script sends to you.

Example Output

Say someone were to submit the following code as the content of a comment on your blog in an attempt to execute a bit of JavaScript on your site:

<script type="text/javascript" src="http://evil.com/nefarious_script.js">
<script type="text/javascript">
nasty.function("do something malicious");

If you run the content of that form field through our sanitizing function, the following would be the result:

&lt;script type=&quot;text/javascript&quot; src=&quot;http://evil.com/nefarious_script.js&quot;
&lt;script type=&quot;text/javascript&quot;&gt;
nasty.function(&quot;do something malicious&quot;);

When displayed as a comment on your blog, it’ll no longer actually execute and will just show up as the neutralized code above. Not only do you benefit from a hacking attempt thwarted, but you can see that someone made the attempt, take measures to block them from future attempts, and report the attack as appropriate.


Now you have the necessary skills to implement a PHP function that cleanses dangerous content from form submissions on any site you develop. The next time we return to the subject of processing form data with PHP, we’ll show you how to validate an e-mail address submitted by a user. If you frequently collect contact information from visitors, the script will save a great deal of time and frustration dealing with bounced and invalid e-mails on your mailing lists, so stay tuned!

Leave a Comment


No comments yet. Why don’t you start the discussion?