过滤php 5输入

I'm starting studying PHP 5 (I always used PHP 4) and for this, I'm building a small (really easy) CMS. I saw in the manual that they added functions to filter vars. My CMS must handle some HTML content for the content of pages. Are these functions (filter_input, filter_var, ecc..) with sanitize filters enough? Or do I need to build a deeper custom function?

Yes, it's almost always enough to use them. However, depending on each query you do or each page content you show, keep in mind that not-so-special characters can also cause surprises. Briefly,

• If you insert into mysql, quote everything and don't let strings contain unhandled quotes. Use mysql_real_escape_string and his friends.
• If you write into a file, you're safe - mind only what you read back.
• If you put default values in input fields, watch out for the same quote that you use around the "value" property. Malicious strings will try to close quotes.
• If you output HTML, use html_special_chars to avoid surprises. Greater-sign and ampersand are your enemies if you don't handle them.

Sanitizers will do the rest for you (filtering low characters, etc).