PHP Sanitize Data

PHP Sanitize Data

Last Updated on Feb 15, 2023


Sanitizing data is a very important step, especially when you are dealing with user data.

What does it mean to sanitize data?

It means to clean up your data by using deleting, replacing, encoding, or escaping techniques.

Sanitize Data

Do you remember when we used filters to validate email?

We are going to use the same function but with different flags to sanitize data

So let’s see an example

filter_var($string, FILTER_SANITIZE_STRING);

Here it doesn’t validate the data to tell us if it’s string or not. It sanitizes it. It cleans up the string.

So if we have an input like this:

$string = '<p>here is a html paragraph</p>';

It would clean and return this:

$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph

As you can see it has removed the html tags for us.

Here is a list of most useful flags to sanitize your data


Strip tags and HTML-encode double and single quotes, optionally strip or encode special characters.

if you are using PHP < 8.1 this filter is very useful and powerful. However, If you are using PHP > 8.1, this filter is no longer available and it is recommended to use FILTER_SANITIZE_FULL_SPECIAL_CHARS which I will explain in this post OR use htmlspecialcharacters function instead

$string = '<p>here is a html paragraph</p>';
$filtered = filter_var($string, FILTER_SANITIZE_STRING);
// here is a html paragraph


Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].

$string = '<example>email@test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_EMAIL);


Remove all characters except letters, digits and $-_.+!*'(),{}|\\^~[]`<>#%";/?:@&=.

$string = '<example>url°test€.com';
$filtered = filter_var($string, FILTER_SANITIZE_URL);
// <example>


URL-encode string, optionally strip or encode special characters.

$string = 'test=example query & another=test query!';
$filtered = filter_var($string, FILTER_SANITIZE_ENCODED);
// test%3Dexample%20query%20%26%20another%3Dtest%20query%21


Apply addslashes().

$string = "have you visited amir's website!";
$filtered = filter_var($string, FILTER_SANITIZE_ADD_SLASHES);
// have you visited amir\'s website!


Remove all characters except digits, +- and optionally .,eE. 

You should add the option FILTER_FLAG_ALLOW_FRACTION if you want to keep the decimals.

$string = "$616.15&";
// 616.15


Remove all characters except digits, plus and minus sign.

$string = "$-15&";
$filtered = filter_var($string, FILTER_SANITIZE_NUMBER_INT);
// -15


Equivalent to calling htmlspecialchars() with ENT_QUOTES set.

$string = "characters like < and &";
$filtered = filter_var($string, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
// characters like &lt; and &amp;

You can see a list of all the filters and flags on php's official website.


Now you know about Sanitizing data in PHP.

I recommend you to open a PHP files and try to Sanitizing different types of data.

If you have any suggestions, questions, or opinions, please contact me. I’m looking forward to hearing from you!

Key takeaways

  • Sanitizing data in php
  • filter var
  • cleaning up the data in php

Category: programming

Tags: #php

Join the Newsletter

Subscribe to get my latest content by email.

I won't send you spam. Unsubscribe at any time.

Related Posts