What's the difference between filter_var and filter_input ? I can not find this anywhere, at least not in a way that I understand.
And how do I replace mysql_real_escape_string with one of them?
$password = mysql_real_string($_POST['password']);
The basic difference is that filter_input plays the role of filter_var , but already catching from an input variable (such as GET or POST ).
This code here ...
$email = $_POST['email'];
$resultado = filter_var( $email, FILTER_VALIDATE_EMAIL );
does the same thing as this:
$resultado = filter_input( INPUT_POST, 'email', FILTER_VALIDATE_EMAIL );
For the available filters, see the PHP manual: Filter Types (en)
mysql_real_escape_string() is already something completely different: it is to sanitize the data for input into MySQL table fields. Its purpose is more specific, but it is an obsolete function, as well as all of the mysql_ library.
To replace the latter, use for example the mysqli library, see this question here .
If you want to filter an existing variable, use filter_var ;
If you are filtering a GET or POST , for example, use filter_input ;
If you are filtering a value to insert into MySQL, change the library from mysql_real_escape_string to mysqli_ with bind parameters .
filter_inputandfilter_varare not substitutes formysql_real_escape_string.