escaping input in php

Question

I wrote a code.. but now I don't know which version is a better one.. Is there any possibility couse of 1st version my code is vulnerable?

Version 1:

$destination = $_POST['var'];
$destination = strip_tags(trim($destination));

Version 2:

$destination = strip_tags(trim($_POST['var']));

Answer 1

Both versions are the same in terms of vulnerability. If injection is what you're worried about, you may want to include addslashes().

Which is better? Version 2 will actually benchmark a little faster. Setting a variable to another is just an unnecessary step in the process. I would suggest that version 1, while not technically wrong, is bad practice. Even though the resulting value is the same.

Answer 2

Well, strip_tags can still be exploited. A slightly better solution might be the following:

$destination = htmlentities(trim($_POST['var']));

However this is still not enough, extra work should be done if the $_POST['var'] will go into the database.

Make sure that you understand what htmlentities() does exactly before implementing it in your code on a production level.

Answer 3

Both of the versions mean SAME, you can use any. In my opinion you must use the filter_var, to filter the the input string...

Answer 4

Both snippets are exactly the same. Some people will say the first one is better for readability and some people will say the second one is better for conciseness.

Answer 5

They're both exactly the same.
What are you escaping the input for? Database? XSS?

Answer 6

As neither strip_tags nor trim change the input string, there is absolutely no difference between the two versions.