What is the difference between 'filter_var' and 'filter_input'?

5

What's the difference between filter_var and filter_input ? I can not find this anywhere, at least not in a way that I understand.

And how do I replace mysql_real_escape_string with one of them?

$password = mysql_real_string($_POST['password']);
    
asked by anonymous 25.05.2014 / 03:47

1 answer

7

Filter_input and filter_var functions:

The basic difference is that filter_input plays the role of filter_var , but already catching from an input variable (such as GET or POST ).

This code here ...

$email = $_POST['email'];
$resultado = filter_var( $email, FILTER_VALIDATE_EMAIL );

does the same thing as this:

$resultado = filter_input( INPUT_POST, 'email', FILTER_VALIDATE_EMAIL );

For the available filters, see the PHP manual: Filter Types (en)


mysql_real_escape_string function:

mysql_real_escape_string() is already something completely different: it is to sanitize the data for input into MySQL table fields. Its purpose is more specific, but it is an obsolete function, as well as all of the mysql_ library.

To replace the latter, use for example the mysqli library, see this question here .


In brief:

  • If you want to filter an existing variable, use filter_var ;

  • If you are filtering a GET or POST , for example, use filter_input ;

  • If you are filtering a value to insert into MySQL, change the library from mysql_real_escape_string to mysqli_ with bind parameters .

  

filter_input and filter_var are not substitutes for mysql_real_escape_string .

    
25.05.2014 / 06:45