PHP Input Validation & Sanitization: 🚆 Railway Ticket Booking Guide 🛡️

Vishnu Damwala

Last updated on Aug 23, 2025 4 min read

🚉 Overview: Your Input Is Like Information at a Railway Counter

Imagine you’re at an Indian railway station buying a ticket 🎫

The “user input” is an information you give to the person at the counter. This includes your name, age, the train number, and your destination.
The person at the counter is the “website” or “program”

🧐 1. Input Validation: The Rules for Your Ticket 🎟️

Input validation is like the railway counter staff checking if the information you gave them follows the rules.

Age must be a number: If you say your age is “twenty-five,” the person will ask you to say “25” instead. The counter staff validates that your age is a number, not a word.
Train number must be valid: If you ask for train number “12345678,” the person will check their system to see if that train number exists. If it doesn’t, they’ll say it’s an invalid number.

Why is this important? If the counter person doesn’t validate your information, they might try to print a ticket for a fake train or an age that doesn’t make sense, and the system would fail.

PHP Example for Validation:

<?php
// Let's pretend a user typed this into a form
$email = "[email protected]"; 
$age = "25";

// Check if the email is a real email address format
if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "The email is valid! ✅<br>";
} else {
    echo "The email is invalid! ❌<br>";
}

// Check if the age is a number
if (filter_var($age, FILTER_VALIDATE_INT)) {
    echo "The age is a valid number! ✅<br>";
} else {
    echo "The age is not a valid number! ❌<br>";
}
?>

🛡️ 2. Input Sanitization: Protecting the System 🔒

Input sanitization is like the counter staff making sure you don’t write anything bad on the ticket request form that could mess up their computer.

Imagine a mischievous person writes something like this in the “Name” field: Ankit, and delete all tickets.

The counter staff would sanitize this input. They would ignore or remove the and delete all tickets part because it’s not a valid name and it could harm their system. They only use the safe part: Ankit.

Why is this important? Without sanitization, someone could try to inject harmful commands into the railway’s system, which could lead to a massive problem. By sanitizing the input, the staff protects their system from such attacks.

PHP Example for Sanitization:

<?php
// A user might try to sneak this into your form
$name = "John Doe <script>alert('You are hacked!')</script>"; 

// Use strip_tags() to remove the harmful HTML
$clean_name = strip_tags($name);

echo "Original Name: " . $name . "<br>";
echo "Sanitized Name: " . $clean_name . "<br>"; 

// Let's sanitize an email to remove any illegal characters
$email_with_junk = "test@@@example.com";
$clean_email = filter_var($email_with_junk, FILTER_SANITIZE_EMAIL);

echo "Original Email: " . $email_with_junk . "<br>";
echo "Sanitized Email: " . $clean_email;
?>

⚠️ 3. Why This Matters: Preventing Security Attacks 🚫

Input validation and sanitization are not just about making your website work correctly; they are about protecting it from dangerous security attacks.

SQL Injection: This is when an attacker puts bad code into a form to trick your website into revealing or deleting data from your database. Sanitization helps prevent this by cleaning up the input so the harmful code can’t be used.
Cross-Site Scripting (XSS): This is when an attacker injects a harmful script into your website. This script can then steal other users’ information (like their session cookies). Sanitization, especially with functions like strip_tags() and htmlspecialchars(), is the main way to stop this.

🤝 4. Putting It All Together: Validate and Sanitize Example

<?php
// Assume the user has submitted a form with an email address
$user_email = "  [email protected] <script>alert('hack')</script>  ";

// Step 1: Sanitize the email first to remove any harmful parts
$sanitized_email = filter_var($user_email, FILTER_SANITIZE_EMAIL);

// Step 2: Validate the now-sanitized email to ensure it's in a proper format
if (filter_var($sanitized_email, FILTER_VALIDATE_EMAIL)) {
    echo "The email is both safe and valid! ✅";
    // Now you can safely use the $sanitized_email variable
} else {
    echo "The email is invalid, please try again. ❌";
}
?>

✅ Best Practices for Input Handling 💡

Validate and sanitize every user input—never trust user data.
Sanitize before validating to clean data first.
Use prepared statements for DB queries to protect against SQL injection.