Editing form to sanitize/validate phone number

Question

I have very limited experience with PHP and I'm really hoping someone can help me.

What I want to do is sanitize/validate the phone number input so that only numbers are allowed.

I think I need to use FILTER_SANITIZE_NUMBER_INT but I'm not sure where or how to use it.

Here is my code:

<?php

// Replace the email address with the one that should receive the contact form inquiries.
define('TO_EMAIL', '########');

$aErrors = array();
$aResults = array();

/* Functions */

function stripslashes_if_required($sContent) {

    if(get_magic_quotes_gpc()) {
        return stripslashes($sContent);
    } else {
        return $sContent;
    }
}

function get_current_url_path() {

    $sPageUrl = "http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];
    $count = strlen(basename($sPageUrl));
    $sPagePath = substr($sPageUrl,0, -$count);
    return $sPagePath;
}

function output($aErrors = array(), $aResults = array()){ // Output JSON

    $bFormSent = empty($aErrors) ? true : false;
    $aCombinedData = array(
        'bFormSent' => $bFormSent,
        'aErrors' => $aErrors,
        'aResults' => $aResults
        );

    header('Content-type: application/json');
    echo json_encode($aCombinedData);
    exit;
}

// Check supported version of PHP
if (version_compare(PHP_VERSION, '5.2.0', '<')) { // PHP 5.2 is required for the safety filters used in this script

    $aErrors[] = 'Unsupported PHP version. <br /><em>Minimum requirement is 5.2.<br />Your version is '. PHP_VERSION .'.</em>';
    output($aErrors);
}


if (!empty($_POST)) { // Form posted?

    // Get a safe-sanitized version of the posted data
    $sFromEmail = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
    $sFromName = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW);

    $sMessage  = "Name: ".stripslashes_if_required($_POST['name']);
    $sMessage .= "\r\nEmail: ".stripslashes_if_required($_POST['email']);
    $sMessage .= "\r\nBusiness: ".stripslashes_if_required($_POST['business']); 
    $sMessage .= "\r\nAddress: ".stripslashes_if_required($_POST['address']);
    $sMessage .= "\r\nPhone: ".stripslashes_if_required($_POST['phone']);
    $sMessage .= "\r\nMessage: ".stripslashes_if_required($_POST['message']);
    $sMessage .= "\r\n--\r\nEmail sent from ". get_current_url_path();

    $sHeaders  = "From: '$sFromName' <$sFromEmail>"."\r\n";
    $sHeaders .= "Reply-To: '$sFromName' <$sFromEmail>";

    if (filter_var($sFromEmail, FILTER_VALIDATE_EMAIL)) { // Valid email format?

        $bMailSent = mail(TO_EMAIL, "New inquiry from $sFromName", $sMessage, $sHeaders);
        if ($bMailSent) {
            $aResults[] = "Message sent, thank you!";
        } else {
            $aErrors[] = "Message not sent, please try again later.";
        }

    } else {
        $aErrors[] = 'Invalid email address.';
    }
} else { // Nothing posted
    $aErrors[] = 'Empty data submited.';
}


output($aErrors, $aResults);

Answer 1

Have you looked into PHP's preg_replace function? You can strip out any non-numeric character by using preg_replace('/[^0-9]/', '', $_POST['phone']).

Once you filter out the character data, you can always check to see if it is of a desired length:

$phone = preg_replace('/[^0-9]/', '', $_POST['phone']);
if(strlen($phone) === 10) {
    //Phone is 10 characters in length (###) ###-####
}

You can also use PHP's preg_match function as discussed in this other SO question.

Answer 2

There are a couple of ways to do it... examples:

// If you want to clean the variable so that only + - . and 0-9 can be in it you can:
$number = filter_var($number, FILTER_SANITIZE_NUMBER_INT);

// If you want to clean it up manually you can:
$phone = preg_replace('/[^0-9+-]/', '', $_POST['phone']);

// If you want to check the length of the phone number and that it's valid you can:
if(strlen($_POST['phone']) === 10) {
    if (!preg_match('/^[0-9-+]$/',$var)) { // error } else { // good }
}

Obviously some edits may need to be made dependent on the country and other misc factors.