Filter_input and filter_var functions:
The basic difference is that filter_input
plays the role of filter_var
, but already catching from an input variable (such as GET
or POST
).
This code here ...
$email = $_POST['email'];
$resultado = filter_var( $email, FILTER_VALIDATE_EMAIL );
does the same thing as this:
$resultado = filter_input( INPUT_POST, 'email', FILTER_VALIDATE_EMAIL );
For the available filters, see the PHP manual: Filter Types (en)
mysql_real_escape_string function:
mysql_real_escape_string()
is already something completely different: it is to sanitize the data for input into MySQL table fields. Its purpose is more specific, but it is an obsolete function, as well as all of the mysql_
library.
To replace the latter, use for example the mysqli
library, see this question here .
In brief:
-
If you want to filter an existing variable, use filter_var
;
-
If you are filtering a GET
or POST
, for example, use filter_input
;
-
If you are filtering a value to insert into MySQL, change the library from mysql_real_escape_string
to mysqli_
with bind parameters .
filter_input
and filter_var
are not substitutes for mysql_real_escape_string
.