When to use filter_input()

by

Well, there are going to be differing opinions.

My take is that you should always use it (or, the filter extension in general). There are at least 3 reasons for this:

  1. Sanitizing input is something you should always do. Since the function gives you this capability there is really no reason to find other ways of sanitizing input. Since it is an extension the filter will also be much faster and most likely safer than most PHP solutions out there, which certainly does not hurt. The only exception is if you need a more specialized filter. Even then you should grab the value using the FILTER_UNSAFE_RAW filter (see #3).

  2. There are a lot of goodies in the filter extension. It can save you hours from writing sanitizing and validation code. Of course, it does not cover every single case, but there is enough so that you can focus more on specific filtering/validating code.

  3. Using the function is very good for when you are debugging/auditing your code. When the function is used you know exactly what the input will be. For example, if you use the FILTER_SANITIZE_NUMBER_INT filter then you can be sure that the input will be a number — no SQL injections, no HTML or Javascript code, etc. If you, on the other hand, use something like FILTER_UNSAFE_RAW then you know that it should be treated carefully, and that it can easily cause security problems.

More Related Contents:

  1. Are PDO prepared statements sufficient to prevent SQL injection?
  2. Is “mysqli_real_escape_string” enough to avoid SQL injection or other SQL attacks?
  3. Why would one omit the close tag?
  4. Reference: What is a perfect code sample using the MySQL extension? [closed]
  5. How do you Encrypt and Decrypt a PHP String?
  6. The ultimate clean/secure function
  7. Exploitable PHP functions
  8. Two-way encryption: I need to store passwords that can be retrieved
  9. Preventing Directory Traversal in PHP but allowing paths
  10. What is the best way to stop people hacking the PHP-based highscore table of a Flash game
  11. Secure random number generation in PHP
  12. SQL injections in ADOdb and general website security
  13. In a PHP / Apache / Linux context, why exactly is chmod 777 dangerous?
  14. Which $_SERVER variables are safe?
  15. What do I need to store in the php session when user logged in?
  16. PHP setcookie “SameSite=Strict”?
  17. encrypt and decrypt md5
  18. How to sanitze user input in PHP before mailing?
  19. Magic quotes in PHP
  20. best practice to generate random token for forgot password
  21. Fastest hash for non-cryptographic uses?
  22. Best way to avoid code injection in PHP
  23. Using PHP/Apache to restrict access to static files (html, css, img, etc)
  24. How can I determine a file’s true extension/type programmatically?
  25. Secure and Flexible Cross-Domain Sessions
  26. Can a client view server-side PHP source code?
  27. Can I serve MP3 files with PHP?
  28. Best way to connect to MySQL with PHP securely [duplicate]
  29. Safe alternatives to PHP Globals (Good Coding Practices)
  30. Proper session hijacking prevention in PHP

Leave a Comment