PHP input Filtering using New 5.2, Want to change from $_POST/GET, how to sanitize these?

Question

I want to use the new PHP 5 > input filtering to sanitize and validate posted data, I understand how to use the filter_input function. But I dont understand exactly what I need to sanitize data for database insertion & sending an email.

Basically, I want to sanitize my data (Not validate, I understand how to do this), so that it is safe for me to handle in my backend (ie: prevents sql injection, XSS etc).

Lets say im doing this:

// What do I need to do to sanitize this data for SQL as best as possible.
$var = filter_input(INPUT_POST, 'id', FILTER_VALIDATE_INT, array()); //Validate Example

Here is a Link to the PHP filter documentation. Kinda confused with so many types! Out of these, which filters do I need to use to escape ALL dangerous data. And I assume I use them in the same way as above. Is this correct?

So basically.. How do I sanitize ALL dangerous data using the new filter_input function, which of the filters from here do I need?

Answer 1

I believe this has been asked multiple times before.

SQL injection can be prevented if you use prepared statements.

To prevent XSS you should not display at HTML input by users (eg convert them to HTML entities via FILTER_SANITIZE_SPECIAL_CHARS or otherwise) or aggressively whitelist tags if you want to allow HTML.

Answer 2

Using PDO or a mysql escape string function will sanitize you against these.

If you have a number e.g. an ID I always cast it using intval so if it's anything other than a number it will be 0.