PHP String Sanitizer [tested]

PHP String Sanitizer for form input security
PHP String Sanitizer for form input security

The Best PHP String Sanitizer for Form Security.
Ensuring the security of your application’s data is paramount, especially when dealing with user inputs from forms. This guide explores a robust PHP function for string sanitization that helps protect your system from potential security threats posed by malicious users. In this article, we’ll delve into the details of this function, its advantages, and its limitations.

The Importance of String Sanitization:

Before we dive into the solution, let’s understand why string sanitization is essential. When you collect data from forms, it’s imperative to implement security measures to prevent the injection of malicious code into your system. This is crucial for maintaining data integrity and safeguarding your application.

The PHP Sanitization Function:

The PHP sanitization function we’re about to explore is a powerful tool for cleansing user inputs effectively. It leverages the preg_replace, explode, and implode functions to sanitize strings thoroughly.

function sanitize($string) {
    $arr = array();
    $string = preg_replace("/[^a-zA-Z0-9\']/", " ", $string);
    $delimiters = array('@','#','$','%','^','&','*','/','\ ','[',']','{','}','|','(','_','-','+','=','`','¬','!',')',';','"','<','>',",",".",':',"?",'\n',"'");
    $delimiterscount = count($delimiters);

    for ($i=0; $i<$delimiterscount; $i++) {
        $string = preg_replace("/\s\s+/", ", ", str_replace(str_replace(" ",'',$delimiters[$i]), ', ', $string));

    $string = explode(",",str_replace(" ", ",", $string));

    foreach($string as $val){
        if(!empty($val) && strlen($val)>0){
            $arr[] = stripslashes($val);

    return implode($arr);

Understanding the Function:

  • The function sanitize accepts a string as input.
  • It first removes characters that are not alphanumeric or single quotes, effectively filtering out potential malicious characters.
  • Next, it employs an array of delimiters to tokenize the input string.
  • The string is then exploded into an array.
  • After ensuring that each element is not empty, the sanitized values are collected into an array.
  • Finally, the sanitized array is imploded back into a string, resulting in a clean, sanitized output.

Function Limitations:

While this sanitization function is robust, it has a couple of limitations:

  1. Handling Spaces: It doesn’t consider spaces within sentences.
  2. Replacing Removed Characters: It doesn’t replace removed characters with machine-friendly code.

Example Usage:

Let’s see how this function works in practice:

$myname = 'G~#o£~  #d&w  ,i-£n';
$myname = sanitize($myname);
echo $myname;

Legacy Approach:

Before the above function, developers often used the following legacy approach, which is not recommended today due to its limitations:

function clean($string){
    $string = strip_tags($string); // Remove HTML tags
    $string = htmlspecialchars($string); // Convert special characters
    $string = trim(rtrim(ltrim($string))); // Remove leading and trailing spaces
    return $string;

This legacy approach removes HTML tags and converts special characters but doesn’t effectively handle more complex security threats.

In conclusion, when it comes to form security and string sanitization in PHP, using a robust function like the one detailed above is crucial. It provides comprehensive protection against potential injection attacks and ensures the integrity of your application’s data. Always prioritize security in your web development efforts to keep your systems safe from malicious actors.


Please enter your comment!
Please enter your name here