Blog

How to Validate Form URL/E-mail in PHP?

Form URL/E-mail in PHP is fundamental for web developers seeking seamless user interaction on their sites. By mastering this topic, programmers can solve common issues like malformed links, email submissions, and data handling errors. Curious to up your PHP game? Keep reading to demystify these vital concepts and enhance your coding prowess!

What Is Form Validation in PHP?

Definition

Form validation in PHP is the process of checking user input data to ensure it is correct, secure, and in the expected format before processing or storing it in a database.

When users submit a form (such as contact forms, login forms, or registration forms), PHP validates the input on the server to:

  • Ensure required fields are filled
  • Verify correct format (e.g., valid email or URL)
  • Prevent malicious data submission
  • Maintain application security

In simple terms, form validation ensures that the data coming into your application is clean, safe, and usable.

Client-Side vs Server-Side Validation

🔹 Client-Side Validation

Client-side validation happens in the browser before the form is submitted to the server. It is usually implemented using:

  • HTML5 validation attributes (required, type="email")
  • JavaScript validation

✔️ Advantages:

  • Faster feedback to users
  • Reduces unnecessary server requests
  • Improves user experience

❌ Limitations:

  • Can be bypassed easily
  • Not secure on its own
  • Users can disable JavaScript

🔹 Server-Side Validation

Server-side validation is performed after the form data is submitted to the server and processed using PHP.

✔️ Advantages:

  • Cannot be bypassed by users
  • Ensures application security
  • Protects database and backend systems

❌ Limitation:

  • Slightly slower than client-side validation (but essential)

Why Server-Side Validation Is Mandatory

Server-side validation is mandatory because client-side validation can be manipulated or completely bypassed.

If you rely only on browser validation:

  • Attackers can send crafted HTTP requests
  • Malicious scripts can inject harmful data
  • Database integrity can be compromised

Without server-side validation, your application becomes vulnerable to:

  • SQL injection attacks
  • Cross-Site Scripting (XSS)
  • Data corruption
  • Unauthorized access

👉Therefore, client-side validation improves usability, but server-side validation ensures security.

3️⃣ Why Validate URL and E-mail in PHP?

Validating URL and E-mail fields is especially important because these fields are common entry points for malicious input.

🔐 1. Prevent SQL Injection

If user input is inserted directly into SQL queries without validation and sanitization, attackers can inject malicious SQL code.

Validating and sanitizing email and URL inputs:

  • Ensures only properly formatted data is accepted
  • Reduces risk of malicious query manipulation
  • Protects your database from unauthorized access

🛡️ 2. Avoid XSS Attacks

Cross-Site Scripting (XSS) occurs when attackers inject malicious scripts into web pages.

Unvalidated URL or email fields can:

  • Contain embedded JavaScript
  • Execute harmful scripts in the browser
  • Steal user session data

Proper validation helps block invalid and dangerous input before it reaches the frontend.

📧 3. Ensure Correct Data Format

Validation ensures:

  • Email follows correct structure (example@domain.com)
  • URL includes valid protocol (http/https)
  • No invalid characters are accepted

This improves the reliability of your application.

📊 4. Improve Data Integrity

Clean and validated data:

  • Keeps your database consistent
  • Prevents duplicate or malformed entries
  • Makes data processing easier
  • Improves reporting accuracy

Accurate email and URL validation ensures your application runs smoothly and maintains high-quality data.

Validating E-mail in PHP

Validating email addresses in PHP ensures that users enter properly formatted and secure email data before processing or storing it.

Method 1: Using filter_var()

The most recommended and secure way to validate an email in PHP is using the built-in filter_var() function.

🔹 Syntax Explanation

filter_var($variable, FILTER_VALIDATE_EMAIL);
  • $variable → The email string to validate
  • FILTER_VALIDATE_EMAIL → Predefined PHP filter constant
  • Returns the validated email if valid
  • Returns false if invalid

🔹 Example Code

<?php
$email = "test@example.com";

if (filter_var($email, FILTER_VALIDATE_EMAIL)) {
    echo "Valid Email Address";
} else {
    echo "Invalid Email Address";
}
?>

🔹 Output Explanation

If the email format is correct:

Valid Email Address

If incorrect (e.g., test@com):

Invalid Email Address

The function checks:

  • Proper username format
  • @ symbol presence
  • Valid domain structure

🔹 When to Use This Method

Use filter_var() when:

  • You want simple and reliable validation
  • You need built-in security
  • You prefer performance and readability
  • Standard email validation is sufficient

👉 This is the best practice method in most cases.

Method 2: Using Regular Expression (Regex)

Regex allows custom validation rules for email formats.

🔹 Pattern Explanation

Example regex pattern:

/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/

Breakdown:

  • ^ → Start of string
  • [a-zA-Z0-9._%+-]+ → Username part
  • @ → Required symbol
  • [a-zA-Z0-9.-]+ → Domain name
  • \. → Dot before extension
  • [a-zA-Z]{2,} → Domain extension (min 2 characters)
  • $ → End of string

🔹 Example Code

<?php
$email = "test@example.com";
$pattern = "/^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/";

if (preg_match($pattern, $email)) {
    echo "Valid Email Address";
} else {
    echo "Invalid Email Address";
}
?>

🔹 Pros and Cons

✅ Pros:

  • Customizable rules
  • More control over validation
  • Can enforce strict formats

❌ Cons:

  • More complex
  • Easy to make mistakes
  • Slower than filter_var()
  • May reject valid but uncommon emails

👉 Use regex only if you need custom validation rules.

Common Email Validation Mistakes

❌ 1. Not Trimming Whitespace

Users may accidentally add spaces.

Always use:

$email = trim($_POST['email']);

❌ 2. Not Sanitizing Input

Before validation, sanitize input:

$email = filter_var($email, FILTER_SANITIZE_EMAIL);

Sanitizing removes illegal characters.

❌ 3. Relying Only on Client-Side Validation

HTML validation like:

<input type="email" required>

can be bypassed.

👉 Always validate on the server using PHP.

Validating URL in PHP

Validating URLs ensures users provide proper website links and prevents malicious input.

Method 1: Using FILTER_VALIDATE_URL

This is the safest and easiest method.

🔹 Syntax Explanation

filter_var($url, FILTER_VALIDATE_URL);
  • $url → URL string
  • FILTER_VALIDATE_URL → Built-in validation filter
  • Returns URL if valid
  • Returns false if invalid

🔹 Example Code

<?php
$url = "https://example.com";

if (filter_var($url, FILTER_VALIDATE_URL)) {
    echo "Valid URL";
} else {
    echo "Invalid URL";
}
?>

🔹 Checking for Specific Protocols (HTTP/HTTPS)

To ensure only secure protocols:

<?php
$url = "https://example.com";

if (filter_var($url, FILTER_VALIDATE_URL) && 
    (str_starts_with($url, "http://") || str_starts_with($url, "https://"))) {
    echo "Valid HTTP/HTTPS URL";
} else {
    echo "Invalid URL";
}
?>

This prevents dangerous protocols like:

  • javascript:
  • ftp:

Method 2: Custom Regex for URL Validation

Use regex when you need strict custom URL validation.

🔹 Pattern Breakdown

Example pattern:

/^(https?:\/\/)?([\w\-]+\.)+[\w\-]+(\/[\w\- .\/?%&=]*)?$/

Explanation:

  • https?:// → http or https
  • ([\w\-]+\.)+ → Domain and subdomains
  • [\w\-]+ → Domain name
  • Optional path and parameters

🔹 Example Code

<?php
$url = "https://example.com";
$pattern = "/^(https?:\/\/)?([\w\-]+\.)+[\w\-]+(\/[\w\- .\/?%&=]*)?$/";

if (preg_match($pattern, $url)) {
    echo "Valid URL";
} else {
    echo "Invalid URL";
}
?>

🔹 When Regex Is Preferred

Use regex when:

  • You need to allow only specific domains
  • You want to restrict subdomains
  • You need strict format control
  • You’re building high-security applications

👉 For most applications, filter_var() is recommended.

Sanitizing Form URL/E-mail in PHP

Sanitization is the process of removing unwanted or illegal characters from user input before validation or storage.

  • Sanitizing cleans the data.
  • Validation checks whether the cleaned data is valid.

Both steps are essential for secure form handling.

Using FILTER_SANITIZE_EMAIL

This filter removes all illegal characters from an email address.

🔹 Syntax

filter_var($email, FILTER_SANITIZE_EMAIL);

🔹 Example

<?php
$email = " test<>@example.com ";
$email = trim($email); // Remove whitespace

$sanitizedEmail = filter_var($email, FILTER_SANITIZE_EMAIL);

echo $sanitizedEmail;
?>

Output

test@example.com

It removes:

  • Spaces
  • Special illegal characters
  • Invalid symbols

After sanitizing, you should validate:

if (filter_var($sanitizedEmail, FILTER_VALIDATE_EMAIL)) {
    echo "Valid Email";
} else {
    echo "Invalid Email";
}

Using FILTER_SANITIZE_URL

This filter removes illegal characters from a URL.

🔹 Syntax

filter_var($url, FILTER_SANITIZE_URL);

🔹 Example

<?php
$url = " https://example.com/test<> ";
$url = trim($url);

$sanitizedUrl = filter_var($url, FILTER_SANITIZE_URL);

echo $sanitizedUrl;
?>

Output

https://example.com/test

After sanitizing, validate it:

if (filter_var($sanitizedUrl, FILTER_VALIDATE_URL)) {
    echo "Valid URL";
} else {
    echo "Invalid URL";
}

🔎 Difference Between Sanitize and Validate

SanitizationValidation
Cleans input dataChecks correctness of data
Removes illegal charactersConfirms format is correct
Modifies the inputDoes NOT modify input
First stepSecond step

Example Flow

  1. Trim input
  2. Sanitize input
  3. Validate input
  4. Process/store data

👉 Always sanitize first, then validate.

Complete Working Example

Below is a complete working form example with:

  • HTML Form
  • PHP Validation Script
  • Error Handling
  • Success Message

HTML Form

<!DOCTYPE html>
<html>
<head>
    <title>Form URL/E-mail Validation</title>
</head>
<body>

<h2>Contact Form</h2>

<form method="POST" action="">
    Email: <br>
    <input type="text" name="email"><br><br>

    Website URL: <br>
    <input type="text" name="url"><br><br>

    <input type="submit" name="submit" value="Submit">
</form>

</body>
</html>

PHP Validation Script (Same File)

Add this PHP code at the top of the same file:

<?php
$emailError = $urlError = "";
$successMessage = "";

if (isset($_POST['submit'])) {

    // Trim inputs
    $email = trim($_POST['email']);
    $url = trim($_POST['url']);

    // Sanitize inputs
    $email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $url = filter_var($url, FILTER_SANITIZE_URL);

    // Validate email
    if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
        $emailError = "Invalid Email Format";
    }

    // Validate URL
    if (!filter_var($url, FILTER_VALIDATE_URL)) {
        $urlError = "Invalid URL Format";
    }

    // If no errors
    if (empty($emailError) && empty($urlError)) {
        $successMessage = "Form submitted successfully!";
    }
}
?>

Display Error & Success Messages Inside HTML

Modify the form section like this:

Email: <br>
<input type="text" name="email">
<span style="color:red;"><?php echo $emailError; ?></span>
<br><br>

Website URL: <br>
<input type="text" name="url">
<span style="color:red;"><?php echo $urlError; ?></span>
<br><br>

<span style="color:green;"><?php echo $successMessage; ?></span>

🔐 What This Example Demonstrates

✔ Trimming input
✔ Sanitizing data
✔ Validating email and URL
✔ Handling errors properly
✔ Displaying success message
✔ Server-side validation

Real-Life Applications of Form URL/E-mail in PHP


  1. Customer Support at Amazon
    Amazon uses PHP form URL and email functionalities to streamline customer support. When a user fills out a contact form on their website, the data is sent via an email to the support team. It also includes a URL to the user’s order details.
    <?php
    $to = 'support@amazon.com';
    $subject = 'Customer Inquiry';
    $message = 'Customer ID: 12345. Click the following link to view details: https://www.amazon.com/order/12345';
    $headers = 'From: noreply@amazon.com';

    mail($to, $subject, $message, $headers);
    ?>
    This implementation helps Amazon quickly resolve issues by providing direct access to relevant order details right from the email.


  2. Newsletter Signups at Mailchimp
    Mailchimp uses PHP forms to manage new signups for their newsletters. Users enter details, which are emailed to the sales team, keeping them informed of new potential leads.
    <?php
    $to = 'sales@mailchimp.com';
    $subject = 'New Newsletter Signup';
    $message = 'New user subscribed: john.doe@mail.com';
    $headers = 'From: subscribe@mailchimp.com';

    mail($to, $subject, $message, $headers);
    ?>
    This system makes it easy for Mailchimp’s team to track engagement and expand their user base effectively.


  3. Event Registration at Eventbrite
    Eventbrite’s event registration forms utilize PHP to confirm bookings. When someone registers, a PHP form sends a confirmation email with a link to the event details.
    <?php
    $to = 'attendee@mail.com';
    $subject = 'Your Event Registration Confirmed';
    $message = 'Thank you for registering. View your event here: https://www.eventbrite.com/event/98765';
    $headers = 'From: events@eventbrite.com';

    mail($to, $subject, $message, $headers);
    ?>
    This approach enhances the attendee’s experience by ensuring they have all the information needed for the event right at their fingertips.

Security Best Practices for Form URL/E-mail in PHP

Proper validation and sanitization are not enough. You must follow security best practices to fully protect your application.

1. Always Validate on Server-Side

Client-side validation (HTML5 or JavaScript) improves user experience, but it is not secure.

Attackers can:

  • Disable JavaScript
  • Modify browser requests
  • Send custom HTTP requests
  • Bypass frontend validation completely

✔ Best Practice

Always:

  1. Trim input
  2. Sanitize input
  3. Validate input
  4. Escape output

Server-side validation in PHP ensures your application remains secure even if client-side validation is bypassed.

2. Escape Output Properly

Even after validation, you must escape user data before displaying it in HTML.

Failure to escape output can lead to Cross-Site Scripting (XSS) attacks.

🔹 Use htmlspecialchars()

echo htmlspecialchars($email, ENT_QUOTES, 'UTF-8');

Why This Is Important

If a user enters:

<script>alert("Hacked")</script>

Without escaping, it will execute in the browser.
With htmlspecialchars(), it becomes harmless text.

👉 Always escape output, especially when displaying user-submitted data.

3. Use HTTPS

Always serve forms over HTTPS.

Why?

  • Encrypts user data
  • Protects email and URL inputs
  • Prevents man-in-the-middle attacks
  • Builds user trust

Without HTTPS, attackers can intercept form submissions.

👉 Install an SSL certificate and force HTTPS redirection.

4. Implement CSRF Protection

CSRF (Cross-Site Request Forgery) attacks trick users into submitting forms without their knowledge.

🔹 Simple CSRF Token Example

Generate token:

session_start();
$_SESSION['token'] = bin2hex(random_bytes(32));

Add hidden field in form:

<input type="hidden" name="token" value="<?php echo $_SESSION['token']; ?>">

Verify on submission:

if (!hash_equals($_SESSION['token'], $_POST['token'])) {
    die("Invalid CSRF token");
}

👉 CSRF protection is critical for secure form handling.

5. Limit Allowed Protocols

When validating URLs, restrict allowed protocols.

Avoid accepting:

  • javascript:
  • data:
  • ftp:
  • file:

Allow only:

  • http://
  • https://

Example:

if (filter_var($url, FILTER_VALIDATE_URL) &&
    (str_starts_with($url, "http://") || str_starts_with($url, "https://"))) {
    echo "Valid Secure URL";
}

This prevents malicious URL injections.

Performance Considerations

When handling form validation at scale, performance matters.

⚡ filter_var() vs Regex Performance

🔹 filter_var()

✔ Built-in PHP function
✔ Written in C (faster execution)
✔ Optimized internally
✔ Recommended for most use cases

🔹 Regex (preg_match)

✔ More flexible
✔ Custom validation rules
❌ Slightly slower
❌ More CPU intensive
❌ Complex patterns can reduce performance

Conclusion

For most applications:

👉 Use filter_var() for better performance and readability.
Use regex only when strict custom rules are required.

Handling Large-Scale Form Submissions

If your application handles:

  • High traffic
  • Bulk submissions
  • API-based form processing

Follow these best practices:

✔ Use Efficient Validation

Avoid overly complex regex patterns.

✔ Implement Rate Limiting

Prevent spam submissions.

✔ Use Database Indexing

If storing emails, index the column to improve lookup speed.

✔ Queue Heavy Processing

For large systems, use background jobs for email verification or processing.

⚙ Error Handling Optimization

Good error handling improves both performance and user experience.

✔ Avoid Repeated Validation

Store validation result instead of re-checking multiple times.

✔ Provide Clear Error Messages

Example:

  • “Invalid email format.”
  • “URL must start with http or https.”

✔ Do Not Expose Internal Errors

Avoid showing raw PHP warnings to users.

Instead of:

echo $exception->getMessage();

Use:

echo "Something went wrong. Please try again.";

Log detailed errors internally.

🔐 Final Recommendation

For secure and efficient Form URL/E-mail validation in PHP:

✔ Trim → Sanitize → Validate → Escape
✔ Always validate server-side
✔ Use HTTPS
✔ Implement CSRF protection
✔ Prefer filter_var() for performance
✔ Restrict URL protocols

Form URL/E-mail in PHP Handling Questions

  1. How can I use PHP to create a URL from form data without reloading the page?
    You can achieve this by using AJAX along with PHP. AJAX allows you to send form data to the server asynchronously and receive a generated URL without a page refresh. Use the following JavaScript and PHP snippet. 
    
// JavaScript AJAX call
$.ajax({
  type: "POST",
  url: "generate_url.php",
  data: $('#form').serialize(),
  success: function(response) {
    console.log("Generated URL: " + response);
  }
});

    And in your PHP file: 
    
// PHP (generate_url.php)
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  $data = $_POST['data']; // Assuming 'data' is your form field
  $url = "https://example.com/?" . http_build_query(['data' => $data]);
  echo $url;
}

  2. Can I extract email addresses using PHP from a string?
    Yes, you can use regular expressions in PHP to extract email addresses from a string. Here’s an example: 
    
$text = "Hello, contact me at example@example.com or admin@website.org";
preg_match_all('/[a-z0-9_.-]+@[a-z0-9.-]+.[a-z]{2,6}/i', $text, $matches);
print_r($matches[0]);  // Array of email addresses found

  3. What are some common security pitfalls when handling email addresses in PHP forms?
    Common security issues include SQL injection and email header injection. Always sanitize inputs and validate email formats using filter_var: 
    
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL);
if ($email) {
  echo "Valid email format.";
} else {
  echo "Invalid email format.";
}

  4. How can I validate if a URL is properly formatted in PHP?
    You can use the FILTER_VALIDATE_URL filter to check if a URL is well-formed: 
    
$url = "https://www.example.com";
if (filter_var($url, FILTER_VALIDATE_URL)) {
  echo "URL is valid.";
} else {
  echo "URL is not valid.";
}

  5. How to handle multiple form submissions for URL and email in PHP?
    You can check if the form has been submitted using a timestamp or token: 
    
session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
  if (!empty($_SESSION['token']) && $_SESSION['token'] === $_POST['token']) {
    echo "Form already submitted.";
  } else {
    $_SESSION['token'] = $_POST['token'];
    // Process the form
  }
}

Our AI-powered php online compiler offers a seamless coding experience. Instantly write, run, and test your ‘php’ code with the help of AI. It’s designed to streamline your coding process, making it quicker and more efficient. Try it out, and see the difference AI can make!

Conclusion

‘Form URL/E-mail in PHP’ is a fantastic way to hone your web development skills. By mastering this, you can handle data effortlessly. Imagine the thrill. So why not give it a shot? For more programming resources, explore Newtum. Dive in and feel accomplished!

Edited and Compiled by

This article was compiled and edited by @rasikadeshpande, who has over 4 years of experience in writing. She’s passionate about helping beginners understand technical topics in a more interactive way.

About The Author

Sakshi Shelar

See author's posts