How to Sanitize User Input with PHP to Prevent SQL Injection and XSS Attacks


When dealing with user input, it is crucial to sanitize and validate the data to prevent security issues such as SQL injection and cross-site scripting (XSS) attacks. These attacks can lead to unauthorized access, data manipulation, and potential damage to your application or website.

In this article, we will discuss various techniques and best practices for sanitizing user input in PHP, ensuring that your code is secure and protected.

Sanitizing User Input

1. Input Validation:

To start, it's important to validate user input to ensure that it conforms to expected formats and constraints. Input validation is the process of checking if the user input is of the expected data type, length, format, etc. This can be done using PHP's built-in filter_var() function and appropriate filters.

Example: Validate an email address

            $email = $_POST['email'];

            if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
                // Valid email address
            } else {
                // Invalid email address

2. Escape Special Characters:

To prevent SQL injection attacks, you should escape any special characters that may alter the structure of a query. Use prepared statements or parameterized queries with PDO or mysqli extension to bind input variables securely.

Example: Use PDO for database queries

            $username = $_POST['username'];
            $password = $_POST['password'];

            $stmt = $pdo->prepare('SELECT * FROM users WHERE username = :username AND password = :password');
            $stmt->bindParam(':username', $username);
            $stmt->bindParam(':password', $password);

            // Fetch the result

3. Remove HTML Tags:

To prevent XSS attacks, you should remove or encode any user-provided HTML tags to ensure that they are not executed as scripts when displayed. PHP's strip_tags() function can be used to remove HTML tags from a string.

Example: Remove HTML tags

            $input = $_POST['input'];
            $sanitizedInput = strip_tags($input);

4. Use HTML Purifier:

If you want to allow certain types of HTML tags while still sanitizing user input, you can use a library like HTML Purifier. HTML Purifier is an open-source PHP library that can filter user input and remove any malicious or unwanted HTML tags while allowing specified tags and attributes.

Example: Sanitize user input with HTML Purifier

            require_once '';

            $config = HTMLPurifier_Config::createDefault();
            // Configure the allowed tags and attributes
            $config->set('HTML.Allowed', 'p,b,a[href]');

            $purifier = new HTMLPurifier($config);

            $input = $_POST['input'];
            $sanitizedInput = $purifier->purify($input);

Best Practices

1. Validate and Sanitize All User Input:

Remember to validate and sanitize all user input, regardless of its source. This includes data from forms, cookies, headers, and databases. By doing so, you can ensure that your application or website is protected from potential security vulnerabilities.

2. Use Whitelisting:

Instead of blacklisting specific characters or patterns, it is generally recommended to use whitelisting when validating user input. Whitelisting involves specifying the allowed characters, formats, or constraints, which helps to minimize the risk of allowing unexpected or malicious input.

3. Regular Expression Validation:

In some cases, regular expressions can be used for more advanced validation requirements. Regular expressions provide a powerful way to validate and sanitize user input based on specific criteria or patterns. Be cautious when implementing regular expressions to avoid vulnerabilities such as denial-of-service attacks.


Sanitizing user input is a critical step in developing secure PHP applications or websites. By implementing proper validation and sanitization techniques, you can prevent common security vulnerabilities such as SQL injection and XSS attacks.

Remember to validate user input, escape special characters for database queries, remove or encode HTML tags to prevent XSS attacks, and consider using libraries like HTML Purifier if you need to allow specific types of HTML tags.

Following the best practices mentioned in this article will help ensure the integrity and security of your code.