Best Way to Sanitize input in PHP

What is the best way to sanitize user input in a form field with PHP?
<form id="unjoin" method="post">
                    <input id="email" name="email" type="text" value="<?php echo $unsub; ?>" /><br />
                    <input type="submit" name="submit" id="submit" value="Click Here To Unsubscribe">



Open in new window

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chris StanyonWebDevCommented:
'Best Way' is a little subjective and it depends on your needs. You can start by checking out PHP's filter_var():

$cleanEmail = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

Lots of options to sanitize various types of data. If built in methods don't work, then you can use various functions such as str_replace, or any number of regex methods.

And if you're using a database with user data, always use prepared queries, instead of passing the data directly into your queries

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Olaf DoschkeSoftware DeveloperCommented:
In this special case, it's not a matter of sanitizing, it's the least problem you have to remove any malicious content posted and risking to execute it.

In the simplest case, you do a parameterized query searching for a user record having the email column set to the same value as submitted and double checking this is the email of the user logged in to unsubscribe, so nobody can unsubscribe other users.

But that's not the usual sanitation topic, that's much more about recognizing valid email address.

The typical unsubscribing should only ask for a mail, to verify the user logged in knows the mail he used to subscribe, and it only makes sense, if you can't see it from within the user profile page of your site, otherwise an unsubscribe can be a simple single button without asking any detail, as you know the user logged in wants to unsubscribe his own account.

If you're providing this form for users not logged in to their account, eg for a newsletter people subscribed giving their mail but not really creating an account they login to and maintain, then that's another story, but you'll need to check, whether this email is known to some subscribers table anyway.

You may do some simple checks before making that parameterized query for a user/subscriber, but using a parameterized query even a multiline input of a user containing any HTML or JS simply isn't found in the data. If you want to ensure no security hole of parameterized queries can be used, filter out any disallowed characters for mail addresses, any control code character isn't allowed, no linefeeds or carriage return, no tabs, even not spaces, you may even concentrate on the allowed characters.

I don't see a need, as there has to be a bug in query parameterization so any byte or code within the input would fool the parameter mechanism, even linefeeds, ESC sequences or anything alike are simply taken as-is and searched within the mail field.

What could be a risk is any disallowed char making it into a users data at subscription time now executed with whatever mail code you use to send to that address, so you should sanitize the entry of the mail address at subscription time already. And the risk you're facing with any input breaking the mail sending and injecting any other code executed is already with every mail you sent since the subscription.

Bye, Olaf.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.