One of the biggest concerns of all developers or any webmaster running a custom script (no support for it) is security, and since hackers are making sure to reach every hole, we need to make sure it's closed before they reach it.

If you run your inputs through a database or just temporarily displaying it on your website, or even executing shell commands, you need to make sure that your entries are escaped, or clean in other words.

Some of the most common functions to clean or escape in PHP are:


These function are very useful, most of the time, but they are very general. It is always best that you validate your data exactly as required, for example, let's say you have a public input which requires the page number to display, the entry needs to be an integer, so we validate it.

There are many ways to validate entries, whether with functions already made by PHP, type juggling or using regular expressions (regex).

Some of the useful functions are:


Or in type juggling:

  • (int)
  • (bool)
  • (float)
  • (string)
  • ...

You should make use of all that, it'll save you a lot of time and will make sure that your entry is clean, for example, let's say you have a public $_GET or $_POST, the purpose of it is a poll or a survey if you will, asking the user "How many times have you visited my site today?"

If you pass this into the database without any validation, malicious code can be executed, example.

PHP Code: 
$entry $_GET['vote']; // ?vote={MALICIOUS_CODE} 
That will be executed and causing your database to malfunction, depending on the malicious code of course, deleting, dropping or editing entries in database.

If we add (int) right before $_GET it'll basically switch the type to integer, and only returns an integer.

PHP Code: 
$entry = (int) $_GET['vote']; 
If you want to make your validation public and display errors, you could do something like:

PHP Code: 
if ( !is_numeric($_GET['vote']) )
{
    // Display error 
Notice the "!" before is_numeric(), it basically means "not integer, or not equal to, not set..." however you want to word it. So "!" is "NOT" in short.

What about validating regular strings? for example you have a script which has a registering system on it, of course you should always use mysql_real_escape_string() for that, but why not do extra validation to be extra safe.

In this situation we use regex (regular expressions) very useful, let's look at this example:

PHP Code: 
if ( !preg_match('/^\w+$/i'trim($str)) )
{
    // Display error 
A couple of things to notice here, first the preg_match() function, this function basically matches regex as you defined it to the entry added, in this case we're asking PHP "Is the entered string consists of a-z A-Z 0-9 or _ or not?"

This is very useful for user name validation, even though you could code another version that accepts all types of characters (using some of the functions we mentioned earlier) but a user name only needs those characters, mostly.

Another thing to notice are the ^ and the $ signs, ^ means "start" and $ means "end", basically telling it that string starts with that and ends with this.

The trim() function removes all extra spaces from left/right of the entry so " string " will become "string".

Here is a basic list of the most common expressions used:

  • \d: Matches digits, equivalent to [0-9]
  • \w: Matches word characters and underscore, equivalent to [a-zA-Z0-9_]
  • \s: Matches space, new line and tab.

With regex the possibilities are endless, you can validate a URL, email, user name, string and how many characters allowed in each constant (minimum and maximum).

You can easily find detailed tutorials about regex by searching Google.

Other areas that need to be secured are when you execute system functions, whether publicly or internally. Functions like system() and exec() which are used to execute system commands also need to be escaped.

Of course you can use the same methods we mentioned before (ie: regex) to validate data through system functions, however, thanks to PHP, they have made special functions to escape commands in system functions, for example:


The function escapeshellcmd() escapes more characters than escapeshellarg().

Even if you use those functions, it's always a good idea to make additional validation to make sure that the entry passed is exactly as you want it.

Conclusion: always make sure that you secure your data, this is for your own good and of course the users viewing your website, and if a hacker managed to get into your scripts, don't give up, this just gives you more power because you'll be learning new things, thus making your scripts more powerful.

Thank you.

Article by: el_jentel1
el_jentel1 Reviewed by el_jentel1 on . [PHP] Secure your data One of the biggest concerns of all developers or any webmaster running a custom script (no support for it) is security, and since hackers are making sure to reach every hole, we need to make sure it's closed before they reach it. If you run your inputs through a database or just temporarily displaying it on your website, or even executing shell commands, you need to make sure that your entries are escaped, or clean in other words. Some of the most common functions to clean or escape in Rating: 5