We help IT Professionals succeed at work.

PHP PDO Sanatize user input

Robert Granlund
Last Modified: 2014-05-22
What is the best way to sanitize user input?
	// Check for a State:
	if (empty($_POST['state'])) {
		$errors[] = 'You forgot to enter a state.';
	} else {
		$st = mysql_real_escape_string($_POST['state']);

Open in new window

Watch Question

Most Valuable Expert 2011
Author of the Year 2014

Most Valuable Expert 2011
Author of the Year 2014

Oh, nevermind - now I get it.

The mantra is "accept only known good values."  This should obviously not be restated as "exclude all known bad values" because there are more bad values than you can think of, and if you approach security from the wrong end of the gun, well, it will not end in a way you enjoy.

All external data must be considered tainted and treated as an attack vector.

The escape_string() are used to make the data safe for use in a query string.  But that really does nothing to sanitize the input.  You would still want to check the basics.  For example, if your script is going to rely on a state abbreviation, one obvious check would be to see that the input was a string, two characters in length, and that it matched one of the standard state abbreviations.  If you expect a person's name, you might have a regular expression that kept only the letters of the alphabet, along with the comma, dot and hyphen.  Things like that are important.

On the outbound side, if your script echoes any browser output that was received from an external source, use htmlentities() or htmlspecialchars() to prevent your site from becoming an attack vector.
Expert of the Year 2014
Top Expert 2014
This one is on us!
(Get your first solution completely free - no credit card required)
Most Valuable Expert 2011
Author of the Year 2014

@rgranlund, I'm concerned that you're missing the point here.  PDO does not sanitize input.  Your own PHP script must sanitize the input.  There is a big difference between making a query string that can work correctly and having the right data in the data base after the query has been run.

PHP has functions that we use to sanitize input.  This is what you should be looking at:

And I really urge you to take a moment and read the article linked above.  It will answer your questions about how to use the various MySQL extensions.  The reason I wrote it is because I grew weary of answering this sort of question over and over -- it's such a common question, and so commonly misunderstood, that it needed to be explained in some detail.  The article does that, with tested and working code samples showing, in parallel construction, exactly how to work with MySQL, MySQLi, PDO, and MySQLi with prepared statements.

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.


Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.