1

I'm trying to globally cleanse the variables my users/developers, marketers could use directly that might cause a security risk.

Have I defined a global function they can wrap anything in and it sanitizes output for them? Yes. Have I given presentations and lunch-n-learns on the evils of using vars passed in unsanitized? Yes.

So, here's something akin to what I'm trying to place in an include that's at the top of all of our pages for POST/GET, ect. 

foreach($_GET as $key => $value) {
    $_GET[$key] =  cleanThisBaby($value,$key);
}

Of course this works, but when these variables are used in other included pages farther down in the rendering, they're back to their unsanitized state.

Is there something I'm missing about their variable superglobal scope? Is there something that could be "refreshing" those (like an errant session_start())?

evilknot
  • 185
  • 1
  • 9
  • 7
    Generally: not a good idea. See [The ultimate clean/secure function](http://stackoverflow.com/q/4223980) – Pekka Sep 30 '13 at 16:07
  • 1
    This is bad practice. You'll run into trouble sooner or later sanitizing back and forth. E.g. think about submitting a form with errors .. how does your GET/POST look like than, if you try to re-show the form to your visitor(s), when already cleaned (slahshed, html-ed, tags stripped)? – djot Sep 30 '13 at 16:10
  • possible duplicate of [The ultimate clean/secure function](http://stackoverflow.com/questions/4223980/the-ultimate-clean-secure-function) – Quentin Sep 30 '13 at 16:22
  • Thanks and I understand this isn't ideal, and as much as said that in my question. But it is where we are, and I'm trying to find something to deal with it. What I need to know is 1) if these superglobals really do have something like "scope" or 2)what function/etc., could "refresh" those variables so they're back to their original state. Thanks! – evilknot Sep 30 '13 at 16:33

0 Answers0