By input validation we mean checking any data coming from the user before using it. This is the most basic and often overlooked layer of protection. Many developers think "I trust the user" or "I checked on front-end, that's enough". Actually both are wrong. The user should never be trusted, and front-end checking is easily bypassed by attackers.
Whitelist vs Blacklist
There are two main approaches in validation: whitelist (allowed list) and blacklist (forbidden list). In blacklist you write "these characters are dangerous, I reject them". But this approach is very weak because you cannot know all dangerous characters. Attackers always find new ways. In whitelist you say "I only allow these characters". This approach is much safer. For example, for phone number you allow only digits and the "+" sign. For email you use the special filter_var() function.
Server-side validation is mandatory
Front-end checking through JavaScript is useful but only to improve user experience. From a security perspective it gives nothing. Because the attacker can disable JavaScript in the browser or send HTTP requests directly. Therefore every validation must be repeated on the server side. This looks like double work but is mandatory. Without server-side validation no program can be safe.
Validation by data type
Each data type has its own validation rules. For email filter_var($email, FILTER_VALIDATE_EMAIL) is used. For URL — FILTER_VALIDATE_URL. For numbers — is_numeric() or ctype_digit(). For date — DateTime class. For phone number — checking through regex. Length also needs to be checked — too long text can also be a threat (denial of service attack).
File upload — special danger
Files uploaded by users are one of the biggest sources of danger. You cannot rely only on file extension — the attacker can name a .php file with .jpg extension. Therefore you need to check the file type through mime type. Additionally, limit file size, change file name, store file outside web root.
Sayt.uz practice
On the Sayt.uz platform, every form is checked on the server side. Email, phone, password strength, file type and size — everything is validated with whitelist approach. By hosting your site on Sayt.uz hosting, you can ensure full security through domain and SSL certificate.