1
Why it is safer to use the function filter_input, than to simply use global variables ($_SERVER, $_GET, $_POST)?
1 answer
5
Reference to filter: http://www.php.net/manual/en/filter.filters.sanitize.php
My opinion is that you should always use it (the filter extension in general). There are at least three reasons for this:
1 - Filtering data entry is something you should always do. Since the function gives you this ability there is really no reason to find other ways of ingress sanitization. Since it is a filter extension it will also be much faster and probably safer than most PHP solutions out there, which certainly doesn’t hurt. The only exception is if you need a more specialized filter. Even so, you should pick up the value using the FILTER_UNSAFE_RAW filter.
2 - There are a lot of things in the filter extension. It can save you hours of writing filters and validation code. Of course, it doesn’t cover every case.
3 - Using the function is very good for when you are debugging your code. When the function is used you know exactly what the input will be. For example, if you use the FILTER_SANITIZE_NUMBER_INT filter, then you can be sure that the input will be a number - no SQL Injection, no HTML or Javascript code, etc...
Browser other questions tagged php
You are not signed in. Login or sign up in order to post.
You safely on code injection attacks or on good practices to avoid warnings?
– Leonardo Bosquett
security against SQL Injection
– Meeeefiu
I’m trying to avoid SQL Injection, can someone help me to use filter_input ?
– Sr. Bigode