I don't know when to use each one of them.
$name = mysqli_real_escape_string($connection, $_POST['name']);
or
$name = filter_input(INPUT_POST, 'name', FILTER_SANITIZE_STRING);
-
1Possible duplicate of filter_input and mysqli_real_escape_string for integersarc– arc2016-02-02 07:56:26 +00:00Commented Feb 2, 2016 at 7:56
Add a comment
|
1 Answer
real_escape_string() have to be used for the sql strings, i.e. parts of the query enclosed in quotes. Have to be used unconditionally, despite of whatever previous manipulations. real_escape_string() Escapes special characters in a string for use in an SQL statement, taking into account the current char set of the connection.
Where as
filter_input Gets a specific external variable by name and optionally filters it. filter_input will provide you way to validate input for specific string and characters.
- Validate filters
- Sanitize filters
- Other filters
- Filter flags
Validate filters
As name suggested it is use for validation for specific input like FILTER_VALIDATE_EMAIL.
$email = "abc@example"; // wrong email
if(filter_var($email, FILTER_VALIDATE_EMAIL)){
echo $email.'<br>';
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}else{
var_dump(filter_var($email, FILTER_VALIDATE_EMAIL));
}
Sanitize filters it will use for validate and remove characters from string.
FILTER_SANITIZE_EMAIL "email" Remove all characters except letters, digits and !#$%&'*+-=?^_`{|}~@.[].
For more information on filter_value.
So I think that both have different roles to play.
