Is filter_var any good for filtering data? What kind of bad data will it filter? I do use mysql_real_escape_string but I wonder if adding filter_var will help?
Is filter_var any good for filtering data? What kind of bad data will it
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is filter_var any good for filtering data? What kind of bad data will it filter? I do use mysql_real_escape_string but I wonder if adding filter_var will help?
To defend from SQL injection use prepared statements if possible. If not, use mysql_real_escape_string for strings, (int) casting or intval() for integers, (float) or floatval() for floats and addcslashes($input, ‘%_’) for strings to be used inside LIKE statements. Things get even more complicated when trying to escape strings to be used inside RLIKE statements.
For filtering HTML content, the best would be strip_tags (without passing $allowable_tags), but… you may not like/want it, in which case the most affordable solution is:
A more reliable solution would be to use a library like HTML Purifier
Filter functions are OK, but some of them are more validators than filters. Depending on your needs you may find some of them useful.