I'm validating a POST request variables and I used to do like this:
$email = htmlentities($_POST['email']);
But now I searched and learned about filter_var and I'm doing the validation like this:
$email = filter_var(htmlentities($_POST['email']), FILTER_SANITIZE_EMAIL);
Which way is better? and for all types of input [phone - string - etc ..] What I have to use?
Sorry I'm a beginner and I've looked into the manual but I could't understand a lot.
Thanks for help.
Only use the following line for emails:
filter_input(INPUT_POST, "email", FILTER_SANITIZE_EMAIL);
This will correctly remove illegal chracters from an email character (such as ; and keep legal ones such as & or +
Using htmlentities may turn a legal email address to an illegal one which FILTER_SANITIZE_EMAIL will then break.
If you are dealing with user input for labels or descriptions then you can store said input normally (using prepared statements to allow the DB to escape the input correctly) and use htmlentities when displaying it on the page. Alternatively you can use:
filter_input(INPUT_POST, "description", FILTER_SANITIZE_STRING);
This the string sanitize filter strips tags.
You can check more filters at : http://php.net/manual/en/filter.filters.sanitize.php