in VIP, Wordpress

$_GET or $_POST v’s filter_input() function

Read an interesting article on the VIP WordPress, which suggests you should not use $GET or $POST. Instead you should use functions built into PHP 5.2+ like filter_input().

Now just have a couple of questions about this:

1) What are people’s thoughts on this? Is this what we should be moving to?
2) So if i’m reading this right would you swap the old way for the new way below for $_POST? This the right way to do it?

So for $_POST should I swap the old way for the new way like so:

//Old Way
$name = trim(mysql_real_escape_string(htmlentities(strip_tags($_POST['name'],ENT_QUOTES))));
$address = trim(mysql_real_escape_string(htmlentities(strip_tags($_POST['address'],ENT_QUOTES))));

//New Way
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
$address = filter_input(INPUT_POST, 'address', FILTER_SANITIZE_STRING);

3) With regards to $GET I currently do things like typecast if it’s a number and use mysqlreal_escape_string on characters.

So if I have a numbered URL like so i’d do:

webpage.php?num=37738292

//Old Way
$num = (int) $_GET['num'];
$query = "UPDATE tbl SET something = '1' WHERE num = $num";

And if I have a string URL like so i’do:

webpage.php?num=dog
$num = mysql_real_escape_string($_GET['num']);
$query = "UPDATE tbl SET something = '1' WHERE num = '$num'";

So therefore if I run the filter() function here I don’t see where it does the checking for either typecasting or using mysql_real_escape_string if i’m using a string for $_GET where’s the difference?


$num = filter_input(INPUT_GET, 'num', FILTER_SANITIZE_STRING);
$query = "UPDATE tbl SET something = '1' WHERE num = $num";

Write a Comment

Comment