Master PHP Form Validation: Essential Techniques to Secure User Input

1. Data Validation

Data validation checks whether user‑submitted values meet predefined rules. Common methods include:

1.1 Validate Required Fields

Use empty() or isset() to ensure a field is not empty.

if (empty($_POST['username']) || empty($_POST['password'])) {
    echo "Username and password cannot be empty!";
    exit;
}

1.2 Validate Email Format

Apply filter_var() with the FILTER_VALIDATE_EMAIL filter.

$email = $_POST['email'];
if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Invalid email format!";
    exit;
}

1.3 Validate Phone Number Format

Use a regular expression with preg_match() to match Chinese mobile numbers.

$phone = $_POST['phone'];
if (!preg_match("/^1[3456789]\d{9}$/", $phone)) {
    echo "Invalid phone number format!";
    exit;
}

2. Data Filtering

Data filtering removes unwanted or dangerous characters from user input. Common techniques include:

2.1 Strip HTML Tags

Use strip_tags() to eliminate HTML tags and scripts.

$content = $_POST['content'];
$filteredContent = strip_tags($content);

2.2 Escape Special Characters

Apply htmlspecialchars() to convert special characters to HTML entities.

$content = $_POST['content'];
$filteredContent = htmlspecialchars($content);

2.3 Prevent SQL Injection

Escape user input before using it in SQL statements with mysqli_real_escape_string().

$username = $_POST['username'];
$password = $_POST['password'];
$username = mysqli_real_escape_string($con, $username);
$password = mysqli_real_escape_string($con, $password);

These examples illustrate typical validation and filtering strategies; developers should adapt and extend them to meet specific business and security requirements, thereby improving user experience and protecting the website.