I'm coding a contact form and I want to validate and sanitize user input using filter_input The problem is that because I use it for every POST variable shall I do a validate then sanitize or what? my suggestion is as follows:
if (!filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
exit ();
} else {
$email = $_POST['email'];
}
is this OK or I must re-sanitize the $_POST['email']
Thanks
Try this:
if ( !$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL)) {
exit();
}
echo $email
I think using FILTER_SANITIZE_EMAIL before using FILTER_VALIDATE_EMAIL would be better. Also, I would suggest making a regular expression that forced email addresses to conform to what you want to accept for an email address. Both FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL are very liberal in the characters they will accept (the RFC allows more kinds of characters than you might want to allow, and in places you might not care to see them in).