0

Stupid question here, Should I be sanitizing every $_POST / $_GET variable even if it is just being used for something like a comparison?

Example:

if ( $_POST[ 'example' ] === 1 ){ // Do Something }

I understand the idea of using prepared statements for databases, etc, but I am curious / worried about a user placing some PHP code or something else and it running during that check.

mcbeav
  • 11,893
  • 19
  • 54
  • 84
  • What do you mean by sanitize? – Gumbo Nov 09 '13 at 15:28
  • typical PHP sanitization function, filter_var, stripslashes, etc – mcbeav Nov 09 '13 at 15:31
  • 1
    Values do not automatically run as code when run through simple expression such as yours. If you are uneasy about the rest of your code, then bland type/format-forcing is an option. But there's [no general cleanup / context-independent sanitization](http://stackoverflow.com/questions/3126072/what-are-the-best-php-input-sanitizing-functions) procedure anyway. – mario Nov 09 '13 at 15:32
  • So, basically, I shouldn't have to worry about what I have asked? Someone can toss in some PHP there, but it will not run? – mcbeav Nov 09 '13 at 15:33
  • 1
    That's right. $_POST['example'] is being used as a literal value; it's not being evaluated. For example, if it were the string '0+1', that would not be equal to the integer 1, or even to the string '1'. – Brian Kendig Nov 09 '13 at 15:35
  • 1
    Everything in `$_GET` and `$_POST` is either a string or an array. And those values are handled by PHP as any other string or array. – Gumbo Nov 09 '13 at 15:41
  • Just checking to be sure. Thanks for the help! – mcbeav Nov 09 '13 at 15:44

1 Answers1

1

You only need to worry about sanitizing your inputs if they could be used in a context where they would be evaluated - in a database script, for example, or as HTML on a web page.

Brian Kendig
  • 2,452
  • 2
  • 26
  • 36