How to sanitize input in php and html

In PHP, input can be sanitized using the built-in functions such as htmlspecialchars() and strip_tags() to prevent cross-site scripting (XSS) attacks, and addslashes() or mysqli_real_escape_string() to prevent SQL injection attacks.

htmlspecialchars() is used to convert special characters to their corresponding HTML entities. strip_tags() is used to remove any HTML or PHP tags from a string. addslashes() or mysqli_real_escape_string() is used to add backslashes before special characters in a string, which makes it safe to use in a SQL query.

For example, here is how you can use these functions to sanitize user input in PHP:

$user_input = $_POST['user_input'];
$user_input = strip_tags($user_input);
$user_input = htmlspecialchars($user_input);
$user_input = $db->real_escape_string($user_input);

In HTML, you can use the pattern attribute in <input> elements to define a regular expression that the input must match. For example, if you want to accept only numbers in a specific field, you can use the following:
<input type="text" pattern="[0-9]+" title="Please enter a number">

Another way to sanitize input in HTML is to use the required attribute, which specifies that an input field must be filled out before submitting the form. For example:
<input type="text" required>

Please keep in mind that sanitizing input is a crucial step in making sure your application is secure, but it is not enough on its own. It's essential to use prepared statements, use a least privilege account to access the database, validate input and output, and also use other security best practices to further strengthen the security of your application.

Resource:

ChatGPT