Is it secure to call __construct() in login or sign up class this way:
function __construct(PDO $DBH, $_POST['1'], $_POST['2'])
{
$this->_user=$_POST['1'];
$this->_pass=$_POST['2'];
$this->_DBH=$DBH;
}
I want to sanitize user input later inside this class and I'm not sure would my code be ripe for SQL injection or XSS because of class costructed with raw POST input?
If you know you sanitize/use prepared statements (i.e. the raw POST data is not inserted as is to the query), it's fine to do so.
In fact, if you use prepared statements, you don't need to sanitize your input at all (for SQL, if you're going to display the data as HTML, it still needs to be sanitized as such).
It's never a good idea not to parse user input. Whenever a user inputs something you should check the input.
I always htmlentities($value, ENT_QUOTES);, just to be on the safe side.
Use prepared statements, and never trust user input.
This isn't where you should be worried about injection attacks. SQL injection prevention generally amounts of sanitizing inputs; XSS prevention generally amounts to various forms of output encoding. Neither of these is necessarily related to the internal representation of your data (the value of the variable itself).
As others have mentioned, the use of prepared statements (PDO and PDOStatement) will perform the necessary SQL injection escaping automatically. Ultimately, though, because the appropriate transformation varies based on how you're using the data, you should generally do this mitigation at the time of use.
Copying non-sanitized data from one variable into another variable isn't going to make a difference; this is not what SQL injection / XSS is about.
It's about applying appropriate escaping (or rather, avoid no escaping) when those variables are being used. Your risk of SQL injection are greatly mitigated by simply using prepared statements; escaping output to prevent XSS is still necessary though :)