Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

When is filter_input() used versus filter_var()?

Tags:

php

sanitization

I traditionally use a filter_var() function for sanitizing $_GET and $_POST data, such as:

 $foo =  filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

but PHP also has a function filter_input(), which has a different syntax to accomplish the same thing:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Are these just synonyms? Is there an advantage to using one over the other?

I have checked the man pages, but I don't see a lot of difference (only whether/how an error is reported). Semantically/best practice, what makes the most sense?

like image 436
Sablefoste Avatar asked Oct 26 '16 18:10

Sablefoste

People also ask

What is the use of the Filter_var () and filter_input () functions in PHP?

filter_var. If a variable doesn't exist, the filter_input() function returns null while the filter_var() function returns an empty string and issues a notice of an undefined index.

Which function is used to get a specific external variable by name and optionally filter it?

The filter_input() function gets an external variable (e.g. from form input) and optionally filters it. This function is used to validate variables from insecure sources, such as user input.

What is filtering input?

Input filtering is the method by which you validate all incoming data and prevent any invalid data from being used by your application. It's very similar in theory to how water filtering works, where impurities in water are not allowed to pass.

1 Answers

One of the main differences is how they handle undefined variables/indexes. If $_GET['foo'] doesn't exist:

$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

Returns an empty string "" and generates:

Notice: Undefined index: foo

So you would normally need to wrap this in a if(isset($_GET['foo'])).

Whereas:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Returns NULL and does not generate an error.

Note: The filter_input function does not operate on the current $_GET and $_POST superglobals, rather it is prepopulated and independent of those arrays.

If $_GET['foo'] does not exist but is created in the script, it will not be seen by filter_input:

$_GET['foo'] = 1;
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Will return null.

like image 97
AbraCadaver Avatar answered Oct 17 '22 02:10

AbraCadaver
Sign in to Comment

Related questions

Enable ZipArchive on localhost [closed]
How to detect if MySQL query is from cache?
PHP_CodeSniffer - Show Sniff that failed
Pushing to multiple EC2 instances on a load balancer
Looping through results in mysqli
Using a custom class in a Wordpress theme
Exclude folders from search, but still consider in navigation for Netbeans 7 (php)
What are some of the safest ways to connect to a database with PHP? [duplicate]
PHP Recursive Iterator: Parent key of current array iteration?
How to solve the missing object properties in PHP?
orWhere not working with Laravel eloquent relationship query
"Cannot find config.m4." while running phpize in the installation of apd using pecl
PHPStorm sync how to ignore line separators?
Warning: Missing boundary in multipart/form-data POST data in Unknown on line 0
dotenv requires .env file on production
PhpStorm Is throwing an error for phpcs
jQuery not working properly in Laravel 5
Hiding true database object ID in url's
How to use orchestral/tenanti in Laravel 5 to build a multi tenant application with multiple databases?
Apache mod_proxy_fcgi and PHP-FPM (php-cgi.exe) issue (No input file specified.) on Windows

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!