How to Secure Inputs in PHP

Published on October 11, 2020 47 sec read

We're available to do freelance project. Take a look at our services!

In this article, we’re going to learn how to sanitize inputs in PHP. It increases the security of the code. Let’s have a look.

Table of Contents

  1. Create Methods
  2. Usage

Create Methods

We’re going to create two functions. One function is clean. It’ll be used for stripping out malicious bits.

function clean($input) {
    $search = array(
      '@<script[^>]*?>.*?</script>@si',   // Javascript tag
      '@<[\/\!]*?[^<>]*?>@si',            // HTML tags
      '@<style[^>]*?>.*?</style>@siU',    // Style tags
      '@<![\s\S]*?--[ \t\n\r]*>@'         // Multi-line
    $output = preg_replace($search, '', $input);
    return $output;

We need to create another function named sanitize. Sanitizing usually refers to input, so you are stripping away parts of the input that could be problematic for your program (or avoid SQL injection ).

function sanitize($input) {
    if (is_array($input)) {
        foreach($input as $var=>$val) {
            $output[$var] = sanitize($val);
    else {
        if (get_magic_quotes_gpc()) {
            $input = stripslashes($input);
        $input  = cleanInput($input);
        $output = mysql_real_escape_string($input);
    return $output;


Let’s see an example:

$string = "Hello <script>alert('hacked');</script> world!";
$sanitized = sanitize($string);

echo $sanitized; // Hello world!

We can sanitize POST, GET, REQUEST inputs:

$post_data = sanitize($_POST);
$get_data  = sanitize($_GET);
$request_data  = sanitize($_REQUEST);
The tutorial is over. Thanks for reading. 🙂


Hey, I'm Md Obydullah. I build open-source projects and write on Laravel, Linux server, modern JavaScript and more on web development.


Leave a Reply

Your email address will not be published. Required fields are marked *