1

I'm coding a contact form and I want to validate and sanitize user input using filter_input The problem is that because I use it for every POST variable shall I do a validate then sanitize or what? my suggestion is as follows:

if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
exit ();
} else {
$email  = $_POST['email'];
}

is this OK or I must re-sanitize the $_POST['email']

Thanks

Improve this question
3
  • What you're trying to achieve isn't really clear. Why are you sanitizing? For SQL injection? Commented Apr 12, 2014 at 23:29
  • maybe yes maybe no as I will choose then to store the messages in db or send them by email Commented Apr 12, 2014 at 23:32
  • (2 years later) You can use filter_has_var() to check if the post is set. Commented Jul 9, 2014 at 13:35

2 Answers 2

Reset to default
4

Try this:

if ( !$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
    exit();
}

echo $email
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I think using FILTER_SANITIZE_EMAIL before using FILTER_VALIDATE_EMAIL would be better. Also, I would suggest making a regular expression that forced email addresses to conform to what you want to accept for an email address. Both FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL are very liberal in the characters they will accept (the RFC allows more kinds of characters than you might want to allow, and in places you might not care to see them in).

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.