Is $_SERVER['QUERY_STRING'] safe from XSS?

Question

I need to construct a form who\'s action takes you back to the exact same page - GET parameters included. I\'m thinking I can say something to the effect of:

Answer 1

This is another one of those instances where using PHPs filter_input is the way to go. My IDE NetBeans (hate it or love it) always complains whenever I open code that accesses $_POST, $_GET, $_SERVER and $_COOKIE directly without going through filter_input.

This is because of the reasons stated above - you're saying that you trust external data, when, if it can entered or manipulated by users, you cannot.

filter_input(INPUT_POST, 'id', FILTER_SANITIZE_NUMBER_INT);
filter_input(INPUT_SERVER, 'QUERY_STRING', FILTER_SANITIZE_STRING);

Read more here