This should be a elementary question but why is better to use something like this:
$pwd = filter_input(INPUT_POST, 'pwd');
Instead of just:
$pwd = $_POST['pwd'];
PS: I understand that the filter extension can be used with more arguments to provide an additional level of sanitization.
It's not. $_GET, $_POST, $_COOKIE and $_REQUEST are filtered with default filter. filter_input(INPUT_POST, 'pwd') without additional parameters also uses the default filter. So there is no difference at all.
filter_input vs. htmlspecialchars and noticed this appears to be outdated. Most PHP configurations do not filter this data anymore, the link you post even has the default configuration value set as "unsafe_raw"
"unsafe_raw", but that doesn't change the fact that using filter_input without filter parameter does not give you any additional level of security.
Any data which is sent from the client (such as POST data) should be sanitized and escaped (and even better, sanity-checked) to ensure that it isn't going to kill your website.
SQL Injection and Cross-site scripting are the two largest threats for failing to sanitize your user-sent data.
It is not better.
Please see docs on filter_input http://www.php.net//manual/en/function.filter-input.php
and click the "Types of Filters" link. http://www.php.net/manual/en/filter.filters.php
I have only ever used the integer filter ...
$user_id = filter_input(INPUT_POST, 'user_id', FILTER_SANITIZE_NUMBER_INT);
$user = abs($user_id); // To get rid of any +/-
