Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is better to use filter_input()?

Tags:

This should be a elementary question but why is better to use something like this:

$pwd = filter_input(INPUT_POST, 'pwd');

Instead of just:

$pwd = $_POST['pwd'];

PS: I understand that the filter extension can be used with more arguments to provide an additional level of sanitization.

like image 444
Alix Axel Avatar asked Apr 20 '09 14:04

Alix Axel


2 Answers

Any data which is sent from the client (such as POST data) should be sanitized and escaped (and even better, sanity-checked) to ensure that it isn't going to kill your website.

SQL Injection and Cross-site scripting are the two largest threats for failing to sanitize your user-sent data.

like image 35
Ben S Avatar answered Sep 18 '22 11:09

Ben S


It's not. $_GET, $_POST, $_COOKIE and $_REQUEST are filtered with default filter. filter_input(INPUT_POST, 'pwd') without additional parameters also uses the default filter. So there is no difference at all.

like image 165
vartec Avatar answered Sep 17 '22 11:09

vartec