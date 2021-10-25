Hi, I am starting a new thread rather hijacking someone else’s - I hope that is appropriate?

In the thread “Problem with syntax in PHP str_replace” @mabismad gave a great list of points of good practice in PHP which was very interesting and great to see and I have bookmarked it for reference.

I wanted to ask about item no.8

Problem with syntax in PHP str_replace Don’t waste time attempting to ‘sanitize’ data to try to make it safe. Instead, use data safely in whatever context it is being used in - html, sql, mail header, …

I wonder if might ask for more detailed advice about this. I have no formal training in IT/computers/coding and am just an interested amateur. If, for instance, you have some user input as a number from a form and you wish to echo the result of a calculation based on this number - would you need to do anything more than simply

$metres = $_POST['metres']; echo $metres * 2.54;

?

As I type this, I realise that perhaps you don’t need to “sanitise” this input and that is the point that you are making?

Whereas if you were going to use the input to create a SQL query, as well as using prepared statements you would need to do some “sanitising” of the data? If so, what is your preferred means of sanitisation in this senario? And how about for use with mail()?

I hope you don’t mind me asking and I hope you aren’t sick of people asking you about it?