Validation and Sanitation with PHP

Hi, I’m trying to understand the difference between validate and sanitize in PHP.

I believe if I’ve got a form for example I can validate the user input maybe with Jquery Validation and in this way return an error message to the user if the field has not been populated properly.

But I also need to sanitize the variables on the php file is it correct?
If yes I can use php filters to check if a variable is an integer etc etc. using an if statement but what happen if it isn’t? Do i need to report another error?

Many thanks

My understanding of the difference is that validation is to ensure that the data supplied by the user is appropriate for the fields they are to be stored in (numbers are numbers, emails are emails, names are not emails, etc.), and sanitizing is to ensure that the data doesn’t contain anything that could compromise the database or its uses.

As for the best ways to check, I’m watching as this is interesting.

Hi @droopsnoot thanks for your answer. Is very important for me understand this difference. I’m watching this post as well

$id = "1 possible injection";

if(filter_var($id, FILTER_VALIDATE_INT)){

$sanitize_id = filter_var($id, FILTER_SANITIZE_NUMBER_INT);

echo $sanitize_id;

}else{

	echo "error";

}

So for example in this case I’m running this script without any user submission form, now do i need to inform the user that something went wrong if there is an error? For example if $id is not integer

Checking the type of a value is more a matter of validation – and if the type (or generally format) of a given value doesn’t comply, you’ll give the user some feedback to adjust their input. Sanitizing however is about things like preventing XSS or SQL injections. For example, if you have some sort of guest book where the user can leave a comment, the naive approach might look something like

if (isset($_POST['comment'])) {
  $mysqli->query('yada yada');
}

// ...

foreach ($comments as $comment) {
  echo '<div class="comment">' . $comment . '</div>';
}

But when $_POST['comment'] contains something like

Lorem ipsum
<script>
  window.location.href = 'my.nasty.site'
</script>

then anyone visiting that comments page will get redirected to my.nasty.site. A very basic way to prevent such scripts from getting evaluated would be to escape all HTML special characters before persisting it to the DB:

if (isset($_POST['comment'])) {
  $comment = htmlspecialchars($_POST['comment']);
  $mysqli->query('yada yada');
}

PHP also provides a couple of more confined filters to strip tags etc. You don’t necessarily have to report any errors or such, just be careful what to persist to the DB.

(x-post)

I am not sure this is the same but I have seen a video where somebody could copy a form alter it and submit it from a different source. This would bypass any JavaScript validation and so as you say JavaScript validation is just to help the user input correct information. Also what happens if the user has JaveScript turned off?

When I have a form on my sites I do php validation as it is serverside and I do not accept the form data with any validation errors. The user is returned to the form to correct any problems that will be highlighted.

When the form passes validation the data is sanitized with as many checks I can think of!

The difference is very simple:

Validation is an essentially optional and indeterministic measure, depends entirely on your business logic, that have to be defined specifically for the every particular case.

Whereas sanitization is obligatory and unconditional, and have to be always implemented, independent of any other measure taken.

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.