Why is better to use filter_input()?

Question

This should be a elementary question but why is better to use something like this:

$pwd = filter_input(INPUT_POST, \'pwd\');

Instead of jus

Answer 1

It is not better.

Please see docs on filter_input http://www.php.net//manual/en/function.filter-input.php

and click the "Types of Filters" link. http://www.php.net/manual/en/filter.filters.php

I have only ever used the integer filter ...

$user_id = filter_input(INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT);
$user = abs($user_id); // To get rid of any +/-

Answer 2

It's not. $_GET, $_POST, $_COOKIE and $_REQUEST are filtered with default filter. filter_input(INPUT_POST, 'pwd') without additional parameters also uses the default filter. So there is no difference at all.

Answer 3

Any data which is sent from the client (such as POST data) should be sanitized and escaped (and even better, sanity-checked) to ensure that it isn't going to kill your website.

SQL Injection and Cross-site scripting are the two largest threats for failing to sanitize your user-sent data.