15

I traditionally use a filter_var() function for sanitizing $_GET and $_POST data, such as:

 $foo =  filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

but PHP also has a function filter_input(), which has a different syntax to accomplish the same thing:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Are these just synonyms? Is there an advantage to using one over the other?

I have checked the man pages, but I don't see a lot of difference (only whether/how an error is reported). Semantically/best practice, what makes the most sense?

Sablefoste
  • 4,032
  • 3
  • 37
  • 58
  • 2
    `filter_var` takes any variable, so you have to look out for undefined variable errors yourself. `filter_input` instead uses the original values of `$_GET`, `$_POST`, `$_COOKIE`, `$_ENV` or `$_SERVER`, that means any modification made to these variables will not be taken into account. See https://secure.php.net/manual/en/function.filter-input.php#115086 – Charlotte Dunois Oct 26 '16 at 18:52
  • 1
    @CharlotteDunois, so filter_input is a more specific case of filter_var? It seems strange that PHP would have another function with different syntax and so little added benefit. – Sablefoste Oct 26 '16 at 18:55

1 Answers1

19

One of the main differences is how they handle undefined variables/indexes. If $_GET['foo'] doesn't exist:

$foo = filter_var($_GET['foo'], FILTER_SANITIZE_NUMBER_INT);

Returns an empty string "" and generates:

Notice: Undefined index: foo

So you would normally need to wrap this in a if(isset($_GET['foo'])).

Whereas:

$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Returns NULL and does not generate an error.

Note: The filter_input function does not operate on the current $_GET and $_POST superglobals, rather it is prepopulated and independent of those arrays.

If $_GET['foo'] does not exist but is created in the script, it will not be seen by filter_input:

$_GET['foo'] = 1;
$foo = filter_input(INPUT_GET, 'foo', FILTER_SANITIZE_NUMBER_INT);

Will return null.

AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • 3
    So the only benefit then is saving the extra `isset()` check? As I mentioned in my other comment above, why would the makers of PHP bother with an extra function with a different syntax for so little extra benefit? Not really a rhetorical question, but I don't know if there is an easy answer... – Sablefoste Oct 26 '16 at 18:59
  • 1
    @Sablefoste Cleanliness is exactly what we want. – Charlotte Dunois Oct 26 '16 at 19:00
  • Okay, I will accept the answer, and immediately forget `filter_input`. Because only having to know one type of syntax is cleaner (to me) then shorter but special case code. Thank you for the answer! ;) – Sablefoste Oct 26 '16 at 19:02
  • Check http://php.net/manual/en/function.filter-input.php#99124 for more differences. – Gediminas Dec 14 '18 at 11:59
  • Can `filter_input` be used to sanitise as well as validate? I'm not having any luck getting it to work with the sanitise filters. – Hashim Aziz Jan 21 '21 at 02:30
  • @HashimAziz You would need to ask a question with code and show what you want. – AbraCadaver Jan 22 '21 at 23:28