Filter Input

Server-side filtering is important for security.
# Client-side validation is important for usability. 

<form method="POST">
    Username: <input type="text" name="username">
         <select name="color">
    <input type="submit" name="btn_submit">
# All of PHP's superglobals arrays should be considered tainted
# Even $_SERVER array is not fully safe, ...
# it contains some data provided by the client
# Only $_SESSION is safe!
# Ctype functions are always preferred over regular expressions

if (isset($_POST['btn_submit'])) {

    $clean = array();

    if (ctype_alpha($_POST['username'])) { // Look Here
        $clean['username'] = $_POST['username'];
    if (in_array($_POST['color'], array("Red", "Blue"))) {
        $clean['color'] = $_POST['color'];

Escape Output

Escaping output protects the client and user from potentially damaging commands.
<form method="POST">
    Message: <input type="text" name="message"> 
                <input type="submit" name="btn_submit">
    Example: <br>
    John's message is "Hellow World!"
if (isset($_POST['btn_submit'])) {

    echo "nr" . htmlentities($_POST['message']); 
        # John's message is &quot;Hellow World!
        # Will convert double-quotes

    echo "nr" . htmlentities($_POST['message'], ENT_QUOTES); 
        # John&#039;s message is &quot;Hellow World!
        # Will convert both double and single quotes

  Last update: 206 days ago