I wanted to clarify two points on filtering.

1) Filter accepted user PASSWORD?
(Simply, we still hash it, whether there is a vulnerability, if not filtered)

2) Filter data from the session?
(As for me, nonsense, but I ask, and then paranoia already)

  • No filtering is necessary. It is necessary to screen. - Indifferent
  • what to screen password and \ or session? And why? And why should the original password be screened (if the password is) if it is not displayed on the screen? - Wiet
  • one
    Screen data received in the query as variables. You never know where a special character will slip. In general, it's time to switch to PDO - with proper use of sql injections, you can think less. - Indifferent
  • Normal data, such as login, I screen. But do you need a password? if i'm hashing it? And in general, this applies to sessions? - Wiet
  • As an option: $ sql = "SELECT * FROM table WHERE a = '". $ _SESSION ["a"]. "'"; $ _SESSION ["a"] = "'"; And with hashes, everything is not always smooth - there are many algorithms. - Indifferent

0