I will try and phrase this question appropriately, and I have never really though about it properly so I just wanted to get some clarification to wrap my head around it properly.
When you are passing variables into a function, is it the same as using quotes and typing the data in, or is it more safe to pass everything as a variable. Here's an example of what I mean:
$foo = "bar"; // Variable
function($foo); // some function
// Is this the same as
function("bar");
// Likewise if I pass
$foo = $_POST['bar'];
function($foo);
Can this be escaped in the post input by adding )
or a combination of back slashes? Is it safer to use variables always instead of putting them in directly?
By using the following on a username field:
$var = trim($_POST['username']);
$var = preg_replace('/[^0-9a-zA-Z]/',"",$var);
I technically should be safe to trust that variable in stuff like databases and sensitive areas (of course using prepared statements when possible) but it can't be escaped and interact with the PHP correct? I always like to write my applications as secure as possible, even though they most likely will never be seen by the general public, but one can never be too safe with it.
I know for a fact, using the example above, the field should only contain alpha numeric sequences with no spaces or any special characters, so I just want to be certain I am doing this properly and by passing it as $var
through all my functions that its safe and cannot interact with the functions themselves.