I strongly disagree with this article, unless you're struck on a PHP 4 or 5.1. The modern (and recomended) way to validate user input is through filter_input() function, which has a very nice set of sanitization and validation rules, with no need of isset() or empty() calls.
Another issue IMHO is putting directly vars inside a SQL query: you should use prepared statements, removing any SQL injection possibility alltogether. You can sure use mysqli, but his management of prepared statements is quite clumsy: it's WAY better using PDO, which has a very nice interface. And you gain in portability, if you use standard SQL features you can freely switch database server (e.g.: use MySQL in production and a in-memory SQLite for unit tests).
Said that, there's TONS of validation libraries into the wild, and HUNDREDS of libraries for DB abstraction. And no, I don't believe that you're struggling for performances so much: the overhead of some third part library is surely worth the security gain.
Thanks Franco for your comment, I really appreciate it! I will actually be working on a PHP 4 existing codebase, so it's funny you recognized that. I realize now I should also add a caveat to this post to that effect. I also appreciate the recommendations in regards to PDO.
I'm really sorry for you: it's almost 10 years since PHP 4 reached his end-of-life. Mantaining such an old environment should be forbidden by the United Nations :-D
I strongly disagree with this article, unless you're struck on a PHP 4 or 5.1. The modern (and recomended) way to validate user input is through filter_input() function, which has a very nice set of sanitization and validation rules, with no need of isset() or empty() calls.
Another issue IMHO is putting directly vars inside a SQL query: you should use prepared statements, removing any SQL injection possibility alltogether. You can sure use mysqli, but his management of prepared statements is quite clumsy: it's WAY better using PDO, which has a very nice interface. And you gain in portability, if you use standard SQL features you can freely switch database server (e.g.: use MySQL in production and a in-memory SQLite for unit tests).
Said that, there's TONS of validation libraries into the wild, and HUNDREDS of libraries for DB abstraction. And no, I don't believe that you're struggling for performances so much: the overhead of some third part library is surely worth the security gain.
Thanks Franco for your comment, I really appreciate it! I will actually be working on a PHP 4 existing codebase, so it's funny you recognized that. I realize now I should also add a caveat to this post to that effect. I also appreciate the recommendations in regards to PDO.
I'm really sorry for you: it's almost 10 years since PHP 4 reached his end-of-life. Mantaining such an old environment should be forbidden by the United Nations :-D
I'll let you bring that up to a vote in the UN General Assembly! :)