Input Validation

Validate input at system boundaries using filter_var(), regex, or allow-lists. Reject early; do not sanitise and hope.

Example

// filter_var
$email = filter_var($_POST["email"], FILTER_VALIDATE_EMAIL);
if ($email === false) die("Invalid email");
$age = filter_var($_POST["age"], FILTER_VALIDATE_INT, ["options" => ["min_range" => 0, "max_range" => 150]]);
// Allow-list
$sort = in_array($_GET["sort"], ["name", "date", "price"], true) ? $_GET["sort"] : "date";
// Laravel validation
$data = $request->validate(["email" => "required|email", "age" => "integer|min:0|max:150"]);

PHP

Full Editor

Pro Tip

Allow-lists (known-good values) are safer than deny-lists (known-bad). When in doubt, reject.

Related Resources

PHP Reference

Complete tag & property list

PHP How-To Guides

Step-by-step practical guides

PHP Exercises

Practice what you've learned