$username = trim(filter_var($_POST['username'], FILTER_SANITIZE_STRING, FILTER_FLAG_STRIP_LOW));
$password = trim($_POST['password']);
Am i supposed to filter the username before using the input in a query execution? I also do not know if i should use filter_var or filter_input in this situation. I’ve also read that control characters should be filtered from input (hence the use of FILTER_FLAG_STRIP_LOW). I don’t think that a password should be filtered because it could mess up the input, correct? but what if the password contains executable code? does a pdo prepared statement really thwart the attempt?