• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 122
  • Last Modified:

Best Way to Sanitize input in PHP

What is the best way to sanitize user input in a form field with PHP?
<form id="unjoin" method="post">
                    <input id="email" name="email" type="text" value="<?php echo $unsub; ?>" /><br />
                    <input type="submit" name="submit" id="submit" value="Click Here To Unsubscribe">



Open in new window

1 Solution
Chris StanyonCommented:
'Best Way' is a little subjective and it depends on your needs. You can start by checking out PHP's filter_var():

$cleanEmail = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL);

Lots of options to sanitize various types of data. If built in methods don't work, then you can use various functions such as str_replace, or any number of regex methods.

And if you're using a database with user data, always use prepared queries, instead of passing the data directly into your queries
Olaf DoschkeSoftware DeveloperCommented:
In this special case, it's not a matter of sanitizing, it's the least problem you have to remove any malicious content posted and risking to execute it.

In the simplest case, you do a parameterized query searching for a user record having the email column set to the same value as submitted and double checking this is the email of the user logged in to unsubscribe, so nobody can unsubscribe other users.

But that's not the usual sanitation topic, that's much more about recognizing valid email address.

The typical unsubscribing should only ask for a mail, to verify the user logged in knows the mail he used to subscribe, and it only makes sense, if you can't see it from within the user profile page of your site, otherwise an unsubscribe can be a simple single button without asking any detail, as you know the user logged in wants to unsubscribe his own account.

If you're providing this form for users not logged in to their account, eg for a newsletter people subscribed giving their mail but not really creating an account they login to and maintain, then that's another story, but you'll need to check, whether this email is known to some subscribers table anyway.

You may do some simple checks before making that parameterized query for a user/subscriber, but using a parameterized query even a multiline input of a user containing any HTML or JS simply isn't found in the data. If you want to ensure no security hole of parameterized queries can be used, filter out any disallowed characters for mail addresses, any control code character isn't allowed, no linefeeds or carriage return, no tabs, even not spaces, you may even concentrate on the allowed characters.

I don't see a need, as there has to be a bug in query parameterization so any byte or code within the input would fool the parameter mechanism, even linefeeds, ESC sequences or anything alike are simply taken as-is and searched within the mail field.

What could be a risk is any disallowed char making it into a users data at subscription time now executed with whatever mail code you use to send to that address, so you should sanitize the entry of the mail address at subscription time already. And the risk you're facing with any input breaking the mail sending and injecting any other code executed is already with every mail you sent since the subscription.

Bye, Olaf.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Azure 2017

Azure has a changed a lot since it was originally introduce by adding new services and features. Do you know everything you need to about Azure? This course will teach you about the Azure App Service, monitoring and application insights, DevOps, and Team Services.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now