Validating User Input

The safest approach to securing user input is to never trust what is being submitted and always treating the data as a possible attack. This is known as a whitelist approach. User input generally originates from a form in which data is needed to be processed by the application.

A good place to start validating user input is with the creation of the form itself. With the use of an input tag, there are a few attributes which can help secure data before a script processes the information.

  • maxlength:
    • The maxlength attribute specifies the maximum length of an input field. This is useful to prevent users from inputting large string lengths of data (for example: 2 MB’s), which could create an overflow error from the hosting server. However, using this is not a fool proof method. An attacker could replicate the form on another host and exclude themaxlength attribute. It is important to also validate the input for the correct length within the PHP scripts before the data is used.Example:

      <input type=”text” name=”userName” maxlength=”25″/>

  • type=”password”:
    • The type=”password” attribute is used for password input boxes. As a user enters data into the input element, the characters will be transformed into an asterisk (*). This provides a limited security feature for the user, if they are inputting a password when other users are present.Example:

      <input type=”password” name=”userPassword”/>

After the form has been made more secure, it is time to validate the user input within the PHP scripts. This is to add a second layer of security in the event that an attacker has bypassed the first layer. Validating user input can be completed with various methods, including, but not limited to:

  • Checking the length of the passed data strings
  • Filtering data
  • Type Casting
  • Using regular expression

Checking the length of the passed data strings

Even if the form from which the data originated might have used the maxlengthattribute, it is possible for an attacker to circumvent this security measure. To be safe, one should check the length of the data string before it is used within the PHP script. This can be done by using the strlen() PHP function, as seen below:


if( strlen($_POST[‘userName] <= 25 ){
$userName = $_POST[‘userName];
echo “You have entered a user name containing too many characters. Please use 25 characters or less.”;

Filtering Data

One possible way to create a more secure environment is to filter the incoming data. One can do this by only accepting the correct values and providing a default scenario for any data other than the accepted. This method is only efficient if the number of accepted values is small. Otherwise, it may become more of a tedious task code in all of the accepted values.

For example, lets say a form displays a drop down box which asks a student to select their academic year, either Freshman, Sophomore, Junior or Senior. This can be completed using either an if-else statement or a switch statement. Theswitch method is shown below.

switch ($_POST[‘acadYear’])
case ‘Freshman’:
case ‘Sophomore’:
case ‘Junior’:
case ‘Senior’:
$acadYear = $_POST[‘acadYear’];
echo “Invalid academic year selection.”;

Type Casting

Type casting a variable is quick, easy, and effective at insuring the data being processed is exactly what it needs to be. The process is similar to the method used in the C programming language, where the desired type is coded in parentheses, ( ), before the variable. The allowed casts are:

  • (int), (integer)- cast to integer
  • (bool), (boolean) – cast to boolean
  • (float), (double), (real) – cast to float
  • (string) – cast to string
  • (binary) – cast to binary string (PHP 6)
  • (array) – cast to array
  • (object) – cast to object
  • (unset) – cast to NULL (PHP 5)

For example:


$intNum = (int) $_POST[‘age’];

$floatNum = (float) $_POST[‘price’];

$inputString = (string) $_POST[‘name’];


Regular Expression

Regular expression can be complicated but it is very powerful tool to define which characters can exist within strings. While validating user input, regular expressions work well against email address inputs. To learn more about regular expressions, read this tutorial. Below is an example of how to validate an email address input with regular expression.


if ( preg_match(“/^[^@\s<&>]+@([-a-z0-9]+\.)+[a-z]{2,}$/i”, $_POST[’email’]))
$email = $_POST[’email’];