What is the difference between `filter_var`and `filter_input`?

Question

What is the difference between `filter_var`and `filter_input`?

Asked 10 years, 1 month ago

Viewed 1,009 times

6

What’s the difference between filter_var and filter_input? I can’t find it anywhere, at least not in a way I understand.

And how can I replace mysql_real_escape_string by one of them?

$password = mysql_real_string($_POST['password']);

1 answer

Browser other questions tagged php mysql validation

You are not signed in. Login or sign up in order to post.

by Bacco • **93,720** points · Answer 1 · 2014-05-25T04:45:20+00:00

Filter_input and filter_var functions:

The basic difference is that the filter_input plays the role of filter_var, but already picking from an input variable (such as GET or POST).

This code right here...

$email = $_POST['email'];
$resultado = filter_var( $email, FILTER_VALIDATE_EMAIL );

does the same thing as this:

$resultado = filter_input( INPUT_POST, 'email', FILTER_VALIDATE_EMAIL );

For available filters, see the PHP manual: Filter types

Function mysql_real_escape_string:

The mysql_real_escape_string() is for something completely different: it is to sanitize the data for entry into Mysql table fields. Its purpose is more specific, but it is an obsolete function, just like all the library’s mysql_.

To replace the latter, use for example the library mysqli, see this issue here.

In short:

If you want to filter an existing variable, use filter_var;
if filtering a GET or POST, for example, use the filter_input;
if you are going to filter a value to insert into Mysql change the Mysql library mysql_real_escape_string for mysqli_ with bind Parameters.

filter_input and filter_var are not substitutes for mysql_real_escape_string.