I am reading about FILTER_SANITIZE_STRING being deprecated so I am looking for the best option to filter inputs for security reasons to prevent mysql injections and xss injections too.
My users will only send plain text on my website so I don't need to store any symbols or html at all.
Here is how I am taking care of the security until now:
$mail->Subject=filter_input(INPUT_POST,'message',FILTER_SANITIZE_STRING);
but it is now deprecated.
I see a lot of opinions and ways to secure the site against injections. I already use prepared statements with bind params/execute but I want to feel safe with the user inputs.
My question is:
Is it ok to filter using both filter_input together with htmlspecialchars like this?
$mail->Subject=filter_input(INPUT_POST,'subject',htmlspecialchars);
Or what would you recommend ?