In addition to sanitizing data that is displayed to the user, we always need to sanitize all data before storing it in our own databases. There are serious security concerns with storing data in a database—attempting to store unsanitized inputs into a database can allow a bad actor to corrupt or gain access to sensitive information. To sanitize for back-end security, we will use the methods discussed earlier in this lesson.

We’ll also want to sanitize the formatting: make sure the data stored in our database follows consistent formatting. If we’re going to be displaying or using the data, we’ll want to make sure it always looks the same. So even though we may want to let users input their phone numbers with or without parentheses or dashes, when we store it in the database, we’ll want to change all phone numbers to the same format.

To sanitize data formatting, we can use the built-in preg_replace() function. The preg_replace() takes a regular expression, some replacement text, and a subject string; First, It searches through the subject string for instances that match the regular expression. Then, it outputs a copy of the subject string that has the matched instances replaced by the replacement string:

$one = "codeacademy"; $two = "CodeAcademy"; $three = "code academy"; $four = "Code Academy"; $pattern = "/[cC]ode\s*[aA]cademy/"; $codecademy = "Codecademy"; echo preg_replace($pattern, $codecademy, $one); // Prints: Codecademy echo preg_replace($pattern, $codecademy, $two); // Prints: Codecademy echo preg_replace($pattern, $codecademy, $three); // Prints: Codecademy echo preg_replace($pattern, $codecademy, $four); // Prints: Codecademy

In the above code, we used the regular expression /[cC]ode\s*[aA]cademy/ which matches most of the common ways people misspell Codecademy. The replacement string is the proper formatting, "Codecademy", meaning that we replaced the matching misspelled versions with the correct spelling and format. Using preg_replace(), we were able to transform the four versions of our company name to the correct version: "Codecademy".

Let’s practice!



North American 10-digit phone numbers can be formatted a number of ways: XXX-XXX-XXXX, (XXX) XXX-XXXX, XXX.XXX.XXXX and so on.

We’re creating a form to collect names and phone numbers. Once collected, we want to save the phone numbers to our “database” (here the $contacts array). We’ll need all the phone numbers to be formatted in the exact same way so that we can use them consistently throughout our application. However, we want users to be able to input their phone number in whatever way they prefer.

In these tasks, you’ll be creating the logic to sanitize and validate a user-submitted phone number and then store it in the $contacts array.

Take a look at the provided code, and test out the form to see how it’s working so far.


Add the following logic to the provided if block so that the following steps take place when the form is submitted:

  • Check that $number is fewer than 30 characters.
  • If it’s greater than 30 characters, assign $message the value of $validation_error.
  • If $number is fewer than 30 characters, use the preg_replace() function to remove any character that is NOT the numbers 0 to 9. (The pattern "/[^0-9]/" will match any character besides those numbers, you’ll want to remove them by “replacing” them with an empty string: "").
  • Check that the newly formatted phone number is exactly 10 characters.
  • If the newly formatted phone number is 10 characters, add the key=>value pair of the user’s name as the key and the reformatted number as the value.
  • If the newly formatted phone number is 10 characters, you should also assign $message the string value "Thanks ${name}, we'll be in touch.".
  • If the newly formatted phone number is NOT 10 characters, assign $message the value of $validation_error.

Great work! Check your form to make sure everything is working properly.

Take this course for free

Mini Info Outline Icon
By signing up for Codecademy, you agree to Codecademy's Terms of Service & Privacy Policy.

Or sign up using:

Already have an account?