Always sanitize input using filter_var() with appropriate filters like FILTER_SANITIZE_EMAIL or FILTER_SANITIZE_URL, and validate afterward with FILTER_VALIDATE_EMAIL; 2. Escape output with htmlspecialchars() for HTML contexts and json_encode() with JSON_HEX_TAG for JavaScript to prevent XSS; 3. Use prepared statements with PDO or MySQLi for database queries to safely handle user input without manual escaping; 4. Normalize strings by trimming whitespace, converting to UTF-8 with mb_convert_encoding(), lowering case for consistency, and reducing excess spaces; 5. Avoid deprecated functions like mysql_real_escape_string(), strip_tags(), and addslashes(); 6. Apply a layered security approach including client-side validation (for UX only), server-side sanitization and validation, output escaping, prepared statements, and Content Security Policy to effectively mitigate risks. Secure PHP input handling requires consistent, multi-layered practices to prevent vulnerabilities and ensure data integrity.

When handling user input in PHP, string sanitization and transformation are critical for preventing security vulnerabilities like SQL injection, XSS (Cross-Site Scripting), and data corruption. Properly sanitizing and transforming strings ensures that input is safe, consistent, and suitable for its intended use—whether stored in a database, displayed on a web page, or passed to another system.

Here’s how to effectively sanitize and transform strings in PHP for secure input handling.

1. Filter Input with filter_var()

Always treat user input as untrusted. Use PHP’s built-in filter_var() function to sanitize and validate data early.

$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);
$url = filter_var($_POST['url'], FILTER_SANITIZE_URL);
$string = filter_var($_POST['input'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW | FILTER_FLAG_STRIP_HIGH);

Key filters:

• FILTER_SANITIZE_STRING — Removes tags and encodes special chars (deprecated in PHP 8.1 , use htmlspecialchars() and manual stripping instead).
• FILTER_SANITIZE_EMAIL — Removes illegal characters.
• FILTER_SANITIZE_URL — Allows only URL-safe characters.
• FILTER_VALIDATE_EMAIL, FILTER_VALIDATE_IP, etc. — For validation, not just sanitization.

? Note: Sanitization ≠ Validation. Always validate after sanitizing:

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
// Safe to use
}

2. Escape Output to Prevent XSS

Sanitizing input is not enough. Always escape data when outputting, especially in HTML, JavaScript, or attributes.

echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');

• Use ENT_QUOTES to convert both single and double quotes.
• Specify encoding (UTF-8) to prevent encoding-related exploits.
• For JavaScript contexts, use json_encode():

  <script>
    var userData = <?= json_encode($data, JSON_HEX_TAG | JSON_HEX_APOS | JSON_HEX_QUOT) ?>;
  </script>

3. Handle Database Input Safely

Never concatenate user input into SQL queries. Use prepared statements instead.

With PDO:

$stmt = $pdo->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->execute([$name, $email]);

With MySQLi:

$stmt = $mysqli->prepare("INSERT INTO users (name, email) VALUES (?, ?)");
$stmt->bind_param("ss", $name, $email);
$stmt->execute();

? This eliminates the need to manually escape strings for SQL, making your app safer and cleaner.

4. Normalize and Transform Strings

Consistent formatting helps reduce errors and spoofing attempts.

• Trim whitespace:

  $clean = trim($input);

• Convert encoding to UTF-8:

  if (!mb_check_encoding($input, 'UTF-8')) {
    $input = mb_convert_encoding($input, 'UTF-8', 'auto');
  }

• Lowercase emails for consistency:

  $email = strtolower(trim($email));

• Remove excess whitespace:

  $clean = preg_replace('/\s /', ' ', $clean);

5. Avoid Deprecated or Insecure Functions

• ? Don’t use mysql_real_escape_string() — it’s deprecated and doesn’t protect against all attacks.
• ? Avoid strip_tags() alone — it doesn’t validate or escape properly.
• ? Don’t rely on addslashes() — it’s not context-aware and can be bypassed.

Instead:

• Use htmlspecialchars() for output.
• Use modern sanitization libraries or manual filtering when needed.

6. Use a Layered Approach (Defense in Depth)

Security shouldn’t rely on a single step. Apply:

• Client-side validation — for UX (but never trust it).
• Server-side sanitization & validation — mandatory.
• Output escaping — always context-aware.
• Prepared statements — for databases.
• CSP (Content Security Policy) — to mitigate XSS impact.

Example: Complete Input Handling Flow

function sanitizeInput($input) {
    // Trim and handle encoding
    $input = trim($input);
    $input = mb_convert_encoding($input, 'UTF-8', 'auto');

    // Strip dangerous control characters
    $input = preg_replace('/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/', '', $input);

    // Remove extra whitespace
    $input = preg_replace('/\s /', ' ', $input);

    return $input;
}

// Usage
$name = sanitizeInput($_POST['name']);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

if ($email && filter_var($email, FILTER_VALIDATE_EMAIL)) {
    // Proceed with prepared statement
}

Secure input handling isn’t about one function—it’s about consistent practices at every layer. Sanitize early, validate strictly, escape on output, and use safe database interfaces. That’s how you build resilient PHP applications.

Basically, don’t trust the user. Ever.

The above is the detailed content of PHP String Sanitization and Transformation for Secure Input Handling. For more information, please follow other related articles on the PHP Chinese website!