1. <?php
  3. /**
  4. * Sanitizes and validates user input for internal use.
  5. *
  6. * @param string $input The user-provided input.
  7. * @param string $type The expected data type ('string', 'int', 'float', 'array').
  8. * @param string $name The name of the input field (for logging/debugging).
  9. * @param string $allowed_values (Optional) An array of allowed values.
  10. * @param string $error_message The message to display on validation failure.
  11. *
  12. * @return mixed The sanitized and validated input, or null on failure.
  13. */
  14. function sanitizeAndValidateInput(string $input, string $type, string $name, array $allowed_values = [], string $error_message = "Invalid input.") {
  16. // Sanitize input - remove potentially harmful characters.
  17. $sanitized_input = trim(htmlspecialchars($input));
  19. // Type validation.
  20. switch ($type) {
  21. case 'string':
  22. if (!is_string($sanitized_input)) {
  23. error_log("Invalid input type for field: " . $name . ". Expected string.");
  24. return null;
  25. }
  26. break;
  27. case 'int':
  28. if (!is_int($sanitized_input)) {
  29. error_log("Invalid input type for field: " . $name . ". Expected integer.");
  30. return null;
  31. }
  32. break;
  33. case 'float':
  34. if (!is_float($sanitized_input)) {
  35. error_log("Invalid input type for field: " . $name . ". Expected float.");
  36. return null;
  37. }
  38. break;
  39. case 'array':
  40. if (!is_array($sanitized_input)) {
  41. error_log("Invalid input type for field: " . $name . ". Expected array.");
  42. return null;
  43. }
  44. break;
  45. default:
  46. error_log("Invalid input type for field: " . $name . ". Unknown type: " . $type);
  47. return null;
  48. }
  50. // Check for empty input.
  51. if (empty($sanitized_input)) {
  52. error_log("Input for field: " . $name . " is empty.");
  53. return null;
  54. }
  56. // Validate against allowed values.
  57. if (!empty($allowed_values) && !in_array($sanitized_input, $allowed_values)) {
  58. error_log("Input for field: " . $name . " is not in the allowed values: " . json_encode($allowed_values));
  59. return null;
  60. }
  62. // Return the sanitized and validated input.
  63. return $sanitized_input;
  64. }
  66. // Example Usage:
  67. // $user_input = $_POST['username'];
  68. // $username = sanitizeAndValidateInput($user_input, 'string', 'username', [], 'Username is invalid.');
  70. ?>

Add your comment