PHPEnthusiast

o. o That doesn't make any sense what's so ever because now you're going against your own words. The words you typed up yourself. Straight from your post. Run these lines and tell me what you get or better yet. I'll save you the time (being lazy) and show you the results. The difference from running a code that has no classes and objects v.s. running a code with classes and objects. Without class With PDO var_dump(new PDO('mysql:host=localhost;dbname=sample', 'root', 'root')); The line above outputs object(PDO)#1 (0) { } Which is still calling the database. With class class Connection { private function connections() { var_dump(new PDO('mysql:host=localhost;dbname=test', 'root', 'root')); } } The line above outputs With MySQLi Without class var_dump(new mysqli('localhost', 'root', 'root', 'sample')); The line above outputs object(mysqli)#1 (19) { ["affected_rows"]=> int(0) ["client_info"]=> string(75) "mysqlnd _._.__ - ________ - $Id: b0b3b15c693b7f6aeb3aa66b646fee339f175e39 $" ["client_version"]=> int(50010) ["connect_errno"]=> int(0) ["connect_error"]=> NULL ["errno"]=> int(0) ["error"]=> string(0) "" ["error_list"]=> array(0) { } ["field_count"]=> int(0) ["host_info"]=> string(20) "localhost via TCP/IP" ["info"]=> NULL ["insert_id"]=> int(0) ["server_info"]=> string(6) "_._.__" ["server_version"]=> int(_____) ["stat"]=> string(135) "Uptime: 22139 Threads: 1 Questions: 1596 Slow queries: 0 Opens: 173 Flush tables: 1 Open tables: 0 Queries per second avg: 0.072" ["sqlstate"]=> string(5) "00000" ["protocol_version"]=> int(10) ["thread_id"]=> int(936) ["warning_count"]=> int(0) } With classes class Connection { private function connections() { var_dump(new mysqli('localhost', 'root', 'root', 'sample')); } } The line above outputs This means that the database connection will never be called if the class hasn't been called yet. Putting your codes outside of the root folder puts more effort on you. Reason why I said you are going against yourself is because PHP in general has classes, objects, and methods built-in so I'm not sure why you are putting your codes outside of the root folder just to protect them from direct access. Also, when I mean by lazy I meant that the stuff you should be using, you don't. But the stuff that it wasn't meant for, you're putting more effort into that. Sorry anyone reading this. Went off-topic there. Back on topic, I'm still looking for some answers as to if I should be using htmlspecialchars or filter_input.

Great reply. Aren't all of your replies just criticizing everyone's ideas? It doesn't help anyone if all you have are negative response. Off-topic: Also, your reply for the singleton topic is a bad example of a programmer. Your idea is putting the database connection such as $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); into a file and then including it throughout the whole website. This is a lazy idea for programmers. If someone were to access your database connection file, it would still be executed because the lines $connection = new PDO('mysql:host=localhost;dbname=sample', $user, $pass); run a true statment if the connection does not fail. This means people can access your database if they really knew how to because the command lines still are executing. Since others are smart and they want singletons, classes, and methods. They avoid this mess and their database connections are only called when their singletons, classes, and methods are called. The only way to execute a class is to call it in your codes. If someone were to access your file directly, the classes will not be called.

When sanitizing user inputs, if I'm already using htmlspecialchars around user inputs do I still need to use the filter_input functions or do I need to stop using htmlspecialchars and start using filter_input? While I was looking through the PHP manual for filter_input, it basically has the htmlspecialchars and more, but do I really need all of that? I'm just escaping what the user has put in for any type of user based inputs like $_GET and $_POST. Mostly looking to escape any bad characters that the user has put in when it's really not suppose to be there. For $_GET, I'm using filter_var($var, FILTER_SANITIZE_URL); So if user types something like <script>alert("XSS")</script> into the input field, it would just be output like this <script>alert("XSS")</script>