Validation is the most secure way of protecting your website from rogue data. It’s just a simple check resulting in one of two conclusions: valid or invalid. If the data is valid, you proceed. If it’s invalid, you discard it.
It is secure because it’s strict. Only the data you expect gets through. An example of validation can be checking if a string is a valid email address, if the value of a field is an integer greater than zero, or if it’s present in a statically defined array of allowed values.
There are a couple of types of validation:
- Safelist – compare data to a finite list of expected values.
- Blocklist – reject data from a finite list of known and untrusted values. This is rarely a good idea, as you can’t predict every bad data.
- Format detection – check the format of the data (i.e., is it a valid email, phone number, zip code, etc.).
Validation should be done as soon as possible. It’s usually done with custom logic code, although there are a few useful built-in functions, like is_email(), term_exists(), username_exists(), etc. Many checks, especially when using format detection, will require some regex using preg_match().