Is filter_var any good for filtering data? What kind of bad data will it filter? I do use mysql_real_escape_string but I wonder if adding filter_var will help?


Not sure why this was downvoted

Written by Ross

You should better try to understand what XSS and SQL injections are and why they are possible instead of asking for a miracle function to prevent them.

Written by Gumbo

Will help what? What are you trying to do that you hope filter_var will accomplish?

Written by jmucchiello

downvoted because question is really vague. manipulating data is different for every kind of need. since you mention mysql_real_escape_string most people will assume you want filter_var in lieu of mysql_real_escape_string but at the same time you mention you also will be using that... filter_var is used for basic input sanitization/validation. as you will see from the manual, there's nothing specific for databases, only data types.

Written by gcb

Accepted Answer

To defend from SQL injection use prepared statements if possible. If not, use mysql_real_escape_string for strings, (int) casting or intval() for integers, (float) or floatval() for floats and addcslashes($input, '%_') for strings to be used inside LIKE statements. Things get even more complicated when trying to escape strings to be used inside RLIKE statements.

For filtering HTML content, the best would be strip_tags (without passing $allowable_tags), but... you may not like/want it, in which case the most affordable solution is:

$escaped = htmlspecialchars($input, ENT_QUOTES, $your_charset);

A more reliable solution would be to use a library like HTML Purifier

Filter functions are OK, but some of them are more validators than filters. Depending on your needs you may find some of them useful.

This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the community.
It is licensed under cc-wiki