Input Validation with PHP

Of course, validating user input is really important for dynamic websites. Invalid user input can make errors in processing. Therefore, validating inputs is a must. The awesome language, PHP has numerous in-built functions to validate user inputs.

In this tutorial, you will learn about 4 major tasks.

Validating the Request Method

Before creating a HTML form you have to decide a HTTP method to use in your HTTP request. Among bunch of HTTP request methods, developers normally use GET and POST methods for forms. So... GET or POST?

GET Method

POST method

If you are sending sensitive data such as passwords, emails with HTTP request you must use POST. If you are retrieving data from the server, you can use GET method.

Let's create the HTML form. Here I have chosen POST method and the action script, act.php

<form method="POST" action="act.php">

	<!-- some form elements here -->


Browser will send the form data to act.php after submitting the form. I have created act.php as following. First, it will validate the request method.

		// the request method is fine

} else {

	exit('Invalid Request');


You can change 'POST' with your selected HTTP method. So, if act.php is requested with any other method, it will show an error. That's how the request method validation is done.

Checking User Inputs

Next, we have to check the user inputs to avoid processing errors. Let's see how an error can occur. Assume that you have php code to assign POST variable to a local variable as following.

$email = $_POST['email'];

If email variable is not set, PHP will throw an error like following.

Undefined Index: Email

Therefore we have to check whether the inputs variables are set.


The empty function in PHP is really important in this case. It checks whether the argument is empty or not. It will return true in following cases.

if (!empty($_POST['email'])) {
	$email = $_POST['email'];	

In the above example, $email variable is declared if $_POST['email'] is not empty. So, the error mentioned earlier won't trigger. But, if the email is compulsory, we have to throw an error if it's empty. The last subtopic of this tutorial will explain you to do that in an object oriented way.

For BOOLEAN Inputs

The isset function is better to use for boolean values because empty function returns true on false. Isset function checks whether the variable is set (or declared) and not null.

if (isset($_POST['boolean'])) {
	$boolean = $_POST['boolean'];	

Validating Inputs

Prevent XSS Attacks

First, we have to prevent XSS attacks (Cross-Site Scripting). Assume that we have following code in our HTML page to let users to input their username.

<form method="POST" action="">

	<input type="text" name="username">
	<input type="submit" name="submit">


Now assume an attacker inputs following HTML code as the username.
Then he submits the form. We save his username in the database without any validation. Then, we make a page to show usernames of the users. So, PHP will echo out above HTML code as his username. So, every user who visits this page will be redirected to Simply, this is called as XSS attacks.

It's pretty simple to protect a website from XSS attacks using PHP. The htmlspecialchars() function escapes HTML codes. So,

will be changed to

Let's see an example:


if (!empty($_POST['username']) && !empty($_POST['email'])) {

	$username = htmlspecialchars($_POST['username']);
	$email = htmlspecialchars($_POST['email']);


There is one more thing to do with user inputs. We need to remove extra spaces and padding. So that extra spaces won't take space in your database if you are saving those inputs in a database. trim() function removes extra spaces.


if (!empty($_POST['username']) && !empty($_POST['email'])) {

	$username = trim(htmlspecialchars($_POST['username']));
	$email = trim(htmlspecialchars($_POST['email']));


Note: We will create a function to do both at once in the last part of this tutorial.

Validating Emails, URLs, Integers, , etc.

PHP has filter_var() function to validate variables. We can set it's second parameter to different values and use it to validate emails, URLs, integers, booleans, etc. This function returns false on failure or invalid input.

1. Validating Emails

We can simply validate an email using filter_var() function and FILTER_VALIDATE_EMAIL flag. It returns false if the email is invalid.


if (!empty($_POST['email'])) {

	$email = trim(htmlspecialchars($_POST['email']));
	$email = filter_var($email, FILTER_VALIDATE_EMAIL);

	if ($email === false) {
		exit('Invalid Email');


2. Validating URLs

Here we use FILTER_VALIDATE_URL flag with filter_var() function. It returns false if the URL is not in the correct format and returns the URL on success.


if (!empty($_POST['url'])) {

	$url = trim(htmlspecialchars($_POST['url']));
	$url = filter_var($url, FILTER_VALIDATE_URL);

	if ($url === false) {
		exit('Invalid URL');


3. Validating Integers

Here we use FILTER_VALIDATE_INT flag with filter_var() function. This method can be used to validate any integer value such as a primary integer key (userId, groupId, etc.) in database, timestamp, etc. The advantage of using this function is, it converts string numbers ("25") to actual integers (25). So that we can treat integer inputs as integer without any hesitation after sending the input through this function.


if (!empty($_POST['number'])) {
	$number = $_POST['number'];
	$number = filter_var($number, FILTER_VALIDATE_INT);

	if ($number === false) {
		exit('Invalid Integer');


When sending an input through the function,

Note: All false values means that they are not integers.

4. Validating Booleans

Here we use FILTER_VALIDATE_BOOLEAN flag with filter_var() function. This flag enables some amazing attributes to the function. It returns true on strings like 'on', 'yes', 'true' (Case-Insensitive), on boolean true. All other inputs will return false.

Many browsers send string "on" if a checkbox is ticked by user. This string is hard to work with. Let's see an example how to convert it to a boolean.


if (!empty($_POST['check'])) {

	$check = $_POST['check'];
	$check = filter_var($check, FILTER_VALIDATE_BOOLEAN);

After sending the input through filter_var() function with FILTER_VALIDATE_BOOLEAN flag, "on" (string) will be converted to true. Thereafter, we can treat the input as a boolean.

We have discussed many functions to validate inputs. But, writing them all over and over again is not a good practice. So, in the next step we will be creating a class to validate inputs in a more convenient way.

Creating Your Own Class To Validate Inputs

I assume that you have basic knowledge on Object Oriented Programming. If not, you can follow our tutorial.

Our class must prevent XSS attacks and validate inputs. I have named the class as Input.


class Input {


I have used static functions for each case as they make it easy to call. It has following functions.

So, the full code will be like following.


class  Input {
	static $errors = true;

	static function check($arr, $on = false) {
		if ($on === false) {
			$on = $_REQUEST;
		foreach ($arr as $value) {	
			if (empty($on[$value])) {
				self::throwError('Data is missing', 900);

	static function int($val) {
		$val = filter_var($val, FILTER_VALIDATE_INT);
		if ($val === false) {
			self::throwError('Invalid Integer', 901);
		return $val;

	static function str($val) {
		if (!is_string($val)) {
			self::throwError('Invalid String', 902);
		$val = trim(htmlspecialchars($val));
		return $val;

	static function bool($val) {
		$val = filter_var($val, FILTER_VALIDATE_BOOLEAN);
		return $val;

	static function email($val) {
		$val = filter_var($val, FILTER_VALIDATE_EMAIL);
		if ($val === false) {
			self::throwError('Invalid Email', 903);
		return $val;

	static function url($val) {
		$val = filter_var($val, FILTER_VALIDATE_URL);
		if ($val === false) {
			self::throwError('Invalid URL', 904);
		return $val;

	static function throwError($error = 'Error In Processing', $errorCode = 0) {
		if (self::$errors === true) {
			throw new Exception($error, $errorCode);

Let's see some examples of usage of our class.

Initiating the Class

You can copy the above code to a new file and include that file in your script. If you are interested in autoloading classes, you can check our tutorial.

Error Handling

As in the above code, I have created the method throwError to throw errors. It throws error if the static variable error is true. If you don't need errors to be thrown, you can set error to false.

Input::$error = false;

Checking Inputs

I have created check function to check inputs. There are two arguments in the function. First one is an array of elements that is needed to be checked. Second one is the Super Global Array that holds the Inputs. ($_POST for POST method, $_GET for GET method. Default is $_REQUEST)

Input::check(['email', 'password'], $_POST);

This code will check whether email and password are in $_POST and they are not empty. If they are empty it will throw an error.


You can use other functions in the class to validate followings.

	// validate an integer
$number = Input::int($_POST['number']);

	// validate a string
$name = Input::str($_POST['name']);

	// convert to boolean
$bool = Input::bool($_POST['boolean']);

	// validate an email
$email = Input::email($_POST['email']);

	// validate a URL
$url = Input::url($_POST['url']);


This tutorial showed you how to check and validate user inputs and prevent XSS attacks. The filter_var() function was described with it's filters with examples. This tutorial gained your knowledge on validating emails, URLs, integers, booleans and more. Finally we created a class to make validating more convenient. You can improve that class with your knowledge and make it more functional according to your needs.

If you have any kind of question to ask, comment below. Thank you for reading.

Tagged: PHP
You can connect with me on Twitter or Linkedin.
Latest on My Blog
PHP Beginner's Tutorial
Beginner's PHP Tutorial
Image for Laravel High CPU Usage Because of File-based Session Storage
Laravel High CPU Usage Because of File-based Session Storage
Image for Resizing Droplets: A Personal Experience
Resizing Droplets: A Personal Experience
Image for Moving our CDN (10+ GB images) to a new server
Moving our CDN (10+ GB images) to a new server
Image for Disqus, the dark commenting system
Disqus, the dark commenting system
Image for Creating a Real-Time Chat App with PHP and Node.js
Creating a Real-Time Chat App with PHP and Node.js
Related Articles