Escaping and sanitizing user input in PHP

Posted on July 23, 2010

I recently answered a question on Quora, a questions and answers website that I frequent. The poster asked “what are best practices for escaping or sanitizing user input in PHP?” People seemed to appreciate the answer I wrote so I’ll post it here and elaborate on it a bit more.

Why is it important to sanitize user input?

If you’re not careful with user input your website might be open to code injection, directory traversal or similar attacks. Information supplied by users can never be assumed safe.

Examples of user input are submitted forms (e.g. comments), URL parameters (?q=example) and server-side scripts pulling in third-party data, such as an RSS feed importer.

Read more…

Scroll to top

Fork me on GitHub