PHP sql-injection user-input xss

[Solved –10 Answers] Which is the best way to sanitize user input in PHP

[Solved –10 Answers] PHP - Which is the best way to sanitize user input in PHP? - Is there a catchall function somewhere that works well for sanitizing user


Is there a catchall function somewhere that works well for sanitizing user input for SQL injection and XSS attacks, while still allowing certain types of html tags?


  • First example:
    • To avoid this problems ,Whenever we embed a string within foreign code, we must escape it, according to the rules of that language. For example, if we embed a string in some SQL targeting MySql, we must escape the string with MySql’s function for this purpose (mysqli_real_escape_string).
  • Second example is HTML:
    • If we embed strings within HTML markup, we must escape it with html special chars. This means that every single echo or print statement should use htmlspecialchars.
  • A third example shell commands:
    • A third example could be shell commands: If we’re going to embed strings (Such as arguments) to external commands, and call them with exec, then we must use escapeshellcmd and escapeshellarg.


Here we describing two separate issues:

Sanitizing / filtering of user input data.
Escaping output.
1) User input should always be assumed to be bad.

Using prepared statements, or/and filtering with mysql_real_escape_string is definitely a must. PHP also has filter_input built in which is a good place to start.

2) This is a large topic, and it depends on the context of the data being output. For HTML there are solutions such as htmlpurifier out there. as a rule of thumb, always escape any output.


  • The best way to sanitize user input in PHP is sanitize filters(Sanitize filters)( for otherwise use htmlentities() or htmlspecialchars() .
  • For more reference  htmlspecialchars – Manual htmlentities – Manual (


  • SQL injection is an input filtering problem, and XSS is an output escaping one – so we can’t able to execute these two operations at the same time in the code lifecycle.
  1. Basic rules:
    • For SQL query, bind parameters (as with PDO) or use a driver-native escaping function for query variables (such as mysql_real_escape_string())
    • Use strip_tags() to filter out unwanted HTML
    • Escape all other output with htmlspecialchars() and be mindful of the 2nd and 3rd parameters here.


  • To address the XSS issue, take a look at HTML Purifier( is fairly configurable and has a decent track record.
  • As for the SQL injection attacks, make sure to check the user input, and then run it through mysql_real_escape_string(). The function won’t defeat all injection attacks, though, so it is important to check the data before dumping it into our query string.
  • A better solution is to use prepared statements. The PDO (:// and mysqli extension support these.


  • use the id in a WHERE clause is to ensure that id definitely is an integer, like so..
php code
if (isset($_GET['id'])) 
 $id = $_GET['id']; 
settype($id, 'integer');
 $result = mysql_query("SELECT * FROM mytable WHERE id = '$id'");
 # now use the result 


  • If we’re using PostgreSQL, the input from PHP can be escaped with pg_escape_string()
php code
$username = pg_escape_string($_POST['username']);
  • pg_escape_string() escapes a string for querying the database. It returns an escaped string in the PostgreSQL format without quotes.


  • Easiest way to avoid mistakes in sanitizing input and escaping data is using PHP framework
  • Templating engine like Twig or Latte has output escaping on by default – we won’t have to solve manually if we properly escaped our output depending on context (HTML or JavaScript part of web page).
  • Framework is automatically sanitizing input and we won’t use $_POST, $_GET or $_SESSION variables directly, but through mechanism like routing, session handling etc.
  • And for database (model) layer there are ORM frameworks like Doctrine or wrappers around PDO like Nette Database.


  • PHP 5.2 introduced the filter_var function.
  • It supports a great deal of SANITIZE, VALIDATE filters.


  • we can’t able to filter data without any context. Sometimes we need to take a SQL query as input and sometimes we need to take HTML as input
  • we need to filter input on a whitelist — ensure that the data matches some specification of our expectation. And then we need to escape it before we use it, depending on the context in which we used.
  • The process of escaping data for SQL – to prevent SQL injection – is very different from the process of escaping data for (X)HTML, to prevent XSS.

About the author

Wikitechy Editor

Wikitechy Founder, Author, International Speaker, and Job Consultant. My role as the CEO of Wikitechy, I help businesses build their next generation digital platforms and help with their product innovation and growth strategy. I'm a frequent speaker at tech conferences and events.

Add Comment

Click here to post a comment