21

This should be a elementary question but why is better to use something like this:

$pwd = filter_input(INPUT_POST, 'pwd');

Instead of just:

$pwd = $_POST['pwd'];

PS: I understand that the filter extension can be used with more arguments to provide an additional level of sanitization.

kenorb
  • 155,785
  • 88
  • 678
  • 743
Alix Axel
  • 151,645
  • 95
  • 393
  • 500

3 Answers3

15

It's not. $_GET, $_POST, $_COOKIE and $_REQUEST are filtered with default filter. filter_input(INPUT_POST, 'pwd') without additional parameters also uses the default filter. So there is no difference at all.

vartec
  • 131,205
  • 36
  • 218
  • 244
  • Was looking around for `filter_input` vs. `htmlspecialchars` and noticed this appears to be outdated. Most PHP configurations do not filter this data anymore, the link you post even has the default configuration value set as "unsafe_raw" – Charles Sprayberry Aug 05 '11 at 17:08
  • 4
    @Charles: in both cases data passes through the default filter. That default now happens to be `"unsafe_raw"`, but that doesn't change the fact that using `filter_input` without `filter` parameter does not give you any additional level of security. – vartec Aug 06 '11 at 16:42
  • Fair enough. Thanks for the info. – Charles Sprayberry Aug 06 '11 at 17:05
  • 1
    On my Server there is a difference, when magic_quotes_gpc is turned on. The filtered one does not includeslashe, while referencing it with $_POST has. So far I copuldn't figure out why,... http://stackoverflow.com/questions/9533122/when-does-filter-input-remove-slashes-of-post-variables-in-php – R_User Mar 02 '12 at 15:16
2

It is not better.

Please see docs on filter_input http://www.php.net//manual/en/function.filter-input.php

and click the "Types of Filters" link. http://www.php.net/manual/en/filter.filters.php

I have only ever used the integer filter ...

$user_id = filter_input(INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT);
$user = abs($user_id); // To get rid of any +/-
Anthony Scaife
  • 564
  • 5
  • 15
2

Any data which is sent from the client (such as POST data) should be sanitized and escaped (and even better, sanity-checked) to ensure that it isn't going to kill your website.

SQL Injection and Cross-site scripting are the two largest threats for failing to sanitize your user-sent data.

Ben S
  • 68,394
  • 30
  • 171
  • 212
  • Is filter_input() still necessary if you're using parameterized queries and htmlspecialchars() before you print any user-supplied data? – Calvin Apr 20 '09 at 14:27
  • filter_input(INPUT_POST, 'pwd'); (without any other argument still sanitizes the value? – Alix Axel Apr 20 '09 at 14:29
  • 1
    @Ben: generally you're right, but that's not an answer to this question. – vartec Apr 20 '09 at 14:47