PHP Form Input Filtering

Question

I am a PHP newbie and am working on a basic form validation script. I understand that input filtering and output escaping are both vital for security reasons. My question is whe

Answer 1

I understand that input filtering ... is vital for security reasons.

This is wrong statement.
Although it can be right in some circumstances, in such a generalised form it can do no good but false feeling of safety.

all I need to do is sanitize it.

There is no such thing like "general sanitizing". You have to understand each particular case and it's limitations. For example, for the database you need to use several different sanitization techniques, not one. While for the filenames it is going to be completely different one.

I am using prepared statements for my database interaction.

Thus, you should not touch the data at all. Just leave it as is.

Here is the (slightly cleaned up) code:

It seems there is some overkill in your code.
you are cleaning your HTML data twice while it is possible that you won't need it at all. and for some reason you are raising an error on success.

I'd make it rather this way

$formerrors = '';
if ($_POST['fname'] == "") {
    $formerrors .= 'Please enter a valid first name.

';
}

if (!$formerrors) {
  $html = array();
  foreach ($_POST as $key => $val) {
    $html[$key] = htmlspecialchars($val,ENT_QUOTES);
  }
}