filter_var any good for filtering data? What kind of bad data will it filter? I do use
mysql_real_escape_string but I wonder if adding
filter_var will help?
To defend from SQL injection use prepared statements if possible. If not, use mysql_real_escape_string for strings, (int) casting or intval() for integers, (float) or floatval() for floats and addcslashes($input, '%_') for strings to be used inside LIKE statements. Things get even more complicated when trying to escape strings to be used inside RLIKE statements.
For filtering HTML content, the best would be strip_tags (without passing $allowable_tags), but... you may not like/want it, in which case the most affordable solution is:
$escaped = htmlspecialchars($input, ENT_QUOTES, $your_charset);
A more reliable solution would be to use a library like HTML Purifier
Filter functions are OK, but some of them are more validators than filters. Depending on your needs you may find some of them useful.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki