I traditionally use a filter_var()
function for sanitizing $_GET
and $_POST
data, such as:
$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);
but PHP also has a function filter_input()
, which has a different syntax to accomplish the same thing:
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Are these just synonyms? Is there an advantage to using one over the other?
I have checked the man pages, but I don't see a lot of difference (only whether/how an error is reported). Semantically/best practice, what makes the most sense?
One of the main differences is how they handle undefined variables/indexes. If $_GET['foo']
doesn't exist:
$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);
Returns an empty string ""
and generates:
Notice: Undefined index: foo
So you would normally need to wrap this in a if(isset($_GET['foo']))
.
Whereas:
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Returns NULL
and does not generate an error.
Note : The filter_input
function does not operate on the current $_GET
and $_POST
superglobals, rather it is prepopulated and independent of those arrays.
If $_GET['foo']
does not exist but is created in the script, it will not be seen by filter_input
:
$_GET['foo'] = 1;
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);
Will return null
.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.