0

So I have been working on an API for a little side project and all the user input won't be directly used for SQL or displayed to the users so do I need to sanitize it? If I do what should I do exactly?

I am currently checking to make sure if they integers, strings, arrays, etc. but other than that is there anything else I need to do?

Rambomst
  • 653
  • 2
  • 10
  • 28
  • for database use, you don't really need to sanitize data if you use [parametrized statements](http://stackoverflow.com/questions/60174/how-to-prevent-sql-injection-in-php/60496#60496) – mvp Jun 05 '13 at 11:06
  • You weigh up the risk of what could happen and how likely it is. Security.stackexchange.com will likely have good answers on this topic. – Preet Sangha Jun 05 '13 at 11:07
  • Ideally, you distrust and sanitise everything that comes from userland.. and everything else, you still take with a pinch of salt and consider it sanitisable where possible – Pudge601 Jun 05 '13 at 11:09
  • Okay, so if the data coming in won't be put into an SQL query or have the possibility of being displayed to the user I should still sanitize it anyway? – Rambomst Jun 05 '13 at 11:12
  • What are you planning to do with these user inputs? – Passerby Jun 05 '13 at 11:16
  • Most of the user input is being sent off to another external API. Some of it are being used in switches/if statements. A very small portion are used for a session key. – Rambomst Jun 05 '13 at 11:20
  • 1
    @Rambomst For external API, follow the API's requirement; for switch/if statements, it should be safe if you're only using them for comparison; for session key (array key), just make sure it's a valid string/integer. At a first glance, your usage is quite "safe". If you're still unsure, update the question with some example/demonstration. – Passerby Jun 05 '13 at 11:32

1 Answers1

1

The question is always for what purpose? If you just take values you get from a user and you don't do anything with them (you just store and display them), then there's nothing to sanitize. If you let those values "actively do" something, you may want to sanitize them to avoid them doing something you don't like.

For instance, you accept HTML input from a user and want HTML formatted content, but you want to avoid XSS problems; in this case you will want to selectively remove HTML elements, i.e. you want to sanitize the input.

// some HTML is allowed, but not everything
echo remove_unwanted_html_elements($_POST['content']);

If OTOH you do not allow HTML input to be interpreted anyway, i.e. whatever the user posts is just displayed literally back to him without any of being interpreted as HTML, then you do not need to sanitize anything. You may just need to escape the content according to its target format.

// don't care what the user enters, just display it right back as is
echo htmlspecialchars($_POST['content']);

Sanitization is only relevant if you evaluate the value in some not entirely predictable way. Sanitization means to take a value and change it into something else, typically removing something from it. This must be very targeted and purposeful since it can be a very error prone operation; you don't just sanitize data somehow just because. The other alternative is simple validation, i.e. checking that a value conforms to expected norms and otherwise rejecting it outright.

Even taking a supposed number entered by the user and casting it to an int is a very simple form of sanitization; it's effective since it means you are guaranteed to get a harmless number, but that number may or may not have anything to do with the value the user submitted. Validation may be the better option here.

deceze
  • 510,633
  • 85
  • 743
  • 889