How to PHP Security Tips Web Development

How to check an email address is valid when a form is submitted to your PHP code?

How to check an email address is valid when a form is submitted to your PHP code?

You have a form on your website and you are collecting email addresses

You want to make sure they are valid email addresses, so that you can make use of them

Whether you are replying to a customer inquiry

Or using the email addresses for a marketing mailing list

How do you make sure they are valid email addresses?

First, you can validate them client-side in the browser, before the form is submitted to your server

With HTML5 you can define the input field type as email and make it a required field, like this:

<input type="email" name="email" required>

Note that most of the frequently used browsers will support the above functionality.

Then once your form is submitted you can use this PHP code, to make sure that submitted email address is really valid:

// Grab the POSTed email address input field
$email = $_POST['email'];

// Use filter_var to check if the email address is valid
if (filter_var($email, FILTER_VALIDATE_EMAIL) === false) {
echo("$email is not a valid email address");
} else {
echo("$email is a valid email address");

For a bare bones code sample, demonstrating the above you can find it below:

Frameworks MySQL PHP Security Web Development

How to use CodeIgniter to prevent malicious SQL injections

Should you escape input when using CodeIgniters active record class?

Do you need to worry about MySQL injection vulnerabilities when using CodeIgniter?

Yes, yes you do.

It is of course good security practice. To escape your data before submitting it into your database.

CodeIgniter provides three helpful methods. Which are part of it’s database library to stop SQL code injection.


CodeIgniter also provides a method to to use Bindings. Whereby the question marks are replaced by the data parameters. That you pass to the query function.

For example:

$sql = "SELECT * FROM some_table WHERE id = ? AND status = ? AND author = ?";
$this->db->query($sql, array(3, 'live', 'Rick'));

This way they are escaped so you don’t have to escape them. Resulting in safer queries for you. Stopping attackers from injecting malicious SQL.

Refer to the last two sections of this page of the CodeIgniter manual.

If you liked this tip, be sure to subscribe below and be the first to get my next tip…

How to PHP Security

How to protect your PHP source code with encryption?

Worried about giving away your PHP source code?

Want to protect your code when delivering it to a clients hosting when it’s not paid for yet?

I know as this has happened to me. I found a delivery of PHP code for sign off encrypted, I hadn’t seen that before. When we asked the company they said they would remove the encryption upon final payment.

Encryption is definitely a useful tool for PHP developers. Make it a deliverable of your contract that the source code will be decrypted when paid for.

We also had another client who wanted to distribute PHP code on USB thumb sticks.  Not recommended, but it is possible to run it like that, using a SQLite database.  Given the accessibility of a USB thumb stick rather than a Linux server, we encrypted the PHP code.

Here’s a couple of PHP encoders that we’ve used:

So encode, obfuscate and protect your code, if you feel the need to!

Please leave a comment below or sign-up for email updates on new blog post.