Reputation: 4192
When is filter_input() used versus filter_var()?
I traditionally use a filter_var() function for sanitizing $_GET and $_POST data, such as:
$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);
but PHP also has a function filter_input(), which has a different syntax to accomplish the same thing:
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Are these just synonyms? Is there an advantage to using one over the other?
I have checked the man pages, but I don't see a lot of difference (only whether/how an error is reported). Semantically/best practice, what makes the most sense?
Upvotes: 19
Views: 9048
Answers (1)
Reputation: 78994
One of the main differences is how they handle undefined variables/indexes. If $_GET['foo'] doesn't exist:
$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);
Returns an empty string "" and generates:
Notice: Undefined index: foo
So you would normally need to wrap this in a if(isset($_GET['foo'])).
Whereas:
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Returns NULL and does not generate an error.
Note: The filter_input function does not operate on the current $_GET and $_POST superglobals, rather it is prepopulated and independent of those arrays.
If $_GET['foo'] does not exist but is created in the script, it will not be seen by filter_input:
$_GET['foo'] = 1;
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Will return null.
Upvotes: 24
Related Questions
- PHP Security - (int) vs FILTER_VALIDATE_INT
- FILTER_SANITIZE vs FILTER VALIDATE, whats the difference - and which to use?
- What does FILTER_SANITIZE_STRING do?
- Difference between filter_var and filter_input on input data validation
- Why is better to use filter_input()?
- PHP - When to filter user input
- Differences between filter_var and filter_input
- When to use filter_input()
- PHP when to use filter_var instead of built in php functions
- When to filter/sanitize data: before database insertion or before display?