1

Lets say I have an index.php file and some $_GET variables. After a few hundred lines of code I call a method, with the variables as parameters.

Should I validate the variables on top of everything, or should I validate them inside the class/method I call?

2 things in mind:

  1. Avoiding to validate the variables multiple times, everywhere..

  2. Having multiple sources, not only $_GET, and multiple calls to such a method from different files.

Some code:

<?php
function do_something($string) {
    // Validate $string here?
}

// ...or here, before using it?
$result = do_something($_GET['some_string']);
EM-Creations
  • 4,195
  • 4
  • 40
  • 56
Daniel W.
  • 31,164
  • 13
  • 93
  • 151

4 Answers4

1

This is a question where's no standard solution possible. You could write yourself a helper class (i recommend this since this is a solution with less maintanance and best flexibility) which is called at the very first beginning of your index.php file, as some kind as a "contract" which is like:

<?
require_once "validator.php";

$validator = new Validator();
$validated = $validator->validateGet($_GET);

// all the remaining site's php code goes here

?>

this class could return anything you want, such like a boolean indicating whether every variable is okay or not, or an array containing the values with removed tags, etc.

Another barrier for cross site scripting and/or SQL injection should be prepared statements: http://php.net/manual/de/pdo.prepared-statements.php All your SQL queries should also be contained in a external utilities class called ProductDataAccessObject (ProductDAO) or ProductQuerier, etc., which is also for structural/maintanance reasons. But there's no rule that says "you must validate your variables at the very first beginning or at time of use"

Stefano L
  • 1,486
  • 2
  • 15
  • 36
0

Validate at the very first point when you are receiving $_GET at the entry level so that you are sure for the below code at later stage as well-

// Validate $_GET['some_string'] HERE
$result = do_something($_GET['some_string']);

If you validate here -

function do_something($string) {
    // Validate $string here?
}

then there is a possibility that u miss the validation and it will open a loop hole in the code as validation is available only to the method this time.

If you are setting some values for the database, it is a good practice to double check the data and make it safe from code injections.

swapnesh
  • 26,318
  • 22
  • 94
  • 126
0

You can validate on top of the page your every single variable with a one line

$_GET = array_map("mysqli_real_escape_string",$_GET);

Array_map applies one function over every value of an array which in our case is applying mysqli_real_escape_string to the array $_GET

IMPORTANT:

Please do note this is only for sanitization and not validation

You need to validate every variable by your own, for example if what is being sent in an integer, make sure to use intval to validate it

Refer to this question for more information: Sanitization and Validation

Community
  • 1
  • 1
Ali
  • 3,479
  • 4
  • 16
  • 31
  • How is it asking for trouble? – Ali Jun 10 '13 at 15:55
  • 1
    This has been debated over and over, read http://stackoverflow.com/q/3126072/89771 if you wanna know. Basically, do things where they need to be done. Specially if they affect the original data. – Alix Axel Jun 10 '13 at 16:06
  • Ok thanks for clarifying.. I will edit my answer to also include some more information – Ali Jun 10 '13 at 16:16
  • I'm not sure you fully got it. Even (specially, actually) for sanitization this is wrong. Suppose I place your code at the top. Now, also suppose that I use a ORM library or something. If I pass a GET variable to the library, the variable gets escaped twice and we still have a problem. Basically, do things when/where you need them to do something. General purpose doesn't work. – Alix Axel Jun 10 '13 at 16:36
  • Also, `intval` casts (sanitizes). It doesn't validate, for that you have `is_int`, `is_numeric`, `ctype_digit`, `preg_match` and the like. – Alix Axel Jun 10 '13 at 16:37
0

I'm not satisfied with your answers yet, I did not ask HOW to validate, I did ask WHERE to do it.

Here is my own suggestion:

As I think the times for procedural coding in PHP are finally over (!!), I dont have any logic inside of my index.php, all logic goes into controller classes.

So you have a data Sender, and data Reciever.

As a Reciever (not only in PHP, it's something very common in realife, too), I have to validate the information sent by the Sender. The Reciever does not trust anybody (this is important in APIs for example). Therefore, validation has to be inside the methods you create, not at the top of index.php files or outside of a class. Imagine someone else using your method, is he going to validate the arguments, or has it been YOUR task? I think it's up to you, so you (the Reciever!) can throw Exceptions. I also like to keep my data ($_GET, $_POST, ...) as raw as possible outside of the controller. Imagine you have a method which needs validated data at line 100, and a method at line 200 which needs raw data. Now on liee 5 you changed the raw into sanitized. => You have to keep two variables, $data and $data_raw, which is unnecassary overhead.

Think about it

Daniel W.
  • 31,164
  • 13
  • 93
  • 151