When is filter_input() used versus filter_var()?

Question

I traditionally use a filter_var() function for sanitizing $_GET and $_POST data, such as:

 $foo =  filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

but PHP also has a function filter_input(), which has a different syntax to accomplish the same thing:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Are these just synonyms? Is there an advantage to using one over the other?

I have checked the man pages, but I don't see a lot of difference (only whether/how an error is reported). Semantically/best practice, what makes the most sense?

Answer 1

One of the main differences is how they handle undefined variables/indexes. If $_GET['foo'] doesn't exist:

$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

Returns an empty string "" and generates:

Notice: Undefined index: foo

So you would normally need to wrap this in a if(isset($_GET['foo'])).

Whereas:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Returns NULL and does not generate an error.

Note: The filter_input function does not operate on the current $_GET and $_POST superglobals, rather it is prepopulated and independent of those arrays.

If $_GET['foo'] does not exist but is created in the script, it will not be seen by filter_input:

$_GET['foo'] = 1;
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Will return null.