Prevent php injection

Question

im looking for all the ways to prevent people from entering php code into text field at the php level. i have prevention from sql injection but do i not need a way to prevent people from say messing with my if statements?

$email=$_POST["email"];
if(filter_var($email, FILTER_VALIDATE_EMAIL))
{
    //do suff
}

can a user not enter something like "not@a@valid@email.com = valid@email.com" as the email and it will be considered valid. I know this example isn't bad for the server but i'm sure others and come up with more deadly.

Or am i worrying about something that is never a problem?

PHP doesn't execute variables as code unless you call `eval()`. — Barmar, Oct 25 '13 at 23:53

score 1 · Accepted Answer · answered Oct 25 '13 at 23:53

1

This is not a problem, since the user data is the value of a string. It's no different from saying:

filter_var("die()", FILTER_VALIDATE_EMAIL)

That also doesn't kill your program. It's just text.

Just don't use eval. Not ever, but specifically not ever on user input.

answered Oct 25 '13 at 23:53

Kerrek SB

464,522
92
875
1,084

Oh i understand now sql needs the be prepared because it is a string statement but php differs code from being a string thank you – Steven Johnston Oct 25 '13 at 23:55

Prevent php injection

1 Answers1