Hello All,

Read an interesting article on the phparch website, which suggests you should not use $_GET or $_POST again instead you should use functions built into PHP 5.2+ like filter_input() here:


Now just have a couple of questions about this:

1) What are people's thoughts on this? Is this what we should be moving to?
2) So if i'm reading this right would you swap the old way for the new way below for $_POST? This the right way to do it?

So for $_POST should I swap the old way for the new way like so:

PHP Code:
//Old Way
$name trim(mysql_real_escape_string(htmlentities(strip_tags($_POST['name'],ENT_QUOTES))));
$address trim(mysql_real_escape_string(htmlentities(strip_tags($_POST['address'],ENT_QUOTES))));

//New Way
$name filter_input(INPUT_POST'name'FILTER_SANITIZE_STRING);
$address filter_input(INPUT_POST'address'FILTER_SANITIZE_STRING); 
3) With regards to $_GET I currently do things like typecast if it's a number and use mysql_real_escape_string on characters.

So if I have a numbered URL like so i'd do:


PHP Code:
//Old Way
$num = (int) $_GET['num']; 
$query "UPDATE tbl SET something = '1' WHERE num  = $num"
And if I have a string URL like so i'do:


PHP Code:
$num mysql_real_escape_string($_GET['num']);  
$query "UPDATE tbl SET something = '1' WHERE num  = '$num'"

So therefore if I run the filter() function here I don't see where it does the checking for either typecasting or using mysql_real_escape_string if i'm using a string for $_GET where's the difference?

PHP Code:
$num filter_input(INPUT_GET'num'FILTER_SANITIZE_STRING);
$query "UPDATE tbl SET something = '1' WHERE num  = $num"