1

Is using filter_input() or any similar validation/sanitation function overkill when using PDO prepared statements:

$sql =  "SELECT count(*) FROM players_test WHERE email = :value";
$stmt = $pdo->prepare($sql);
$value = filter_input(INPUT_POST, 'signupEmail', FILTER_SANITIZE_STRING); 
$stmt->bindParam(':value', $value, PDO::PARAM_STR);
$stmt->execute();

What would be a reasonable approach to handle stings and integers?

Vadimster
  • 119
  • 9
  • 1
    there is NO way to answer this.What you have to do to make data "safe" depends ENTIRELY on what it's going to be used for. e.g. let's say it's some funky police forensics data storage, which means you need to store EXACTLy the ORIGINAL data. sanitization will destroy some of that original data by removing "bad" stuff. And now your court case gets dismissed because the evidence was tampered with. – Marc B Sep 07 '16 at 19:51
  • 1
    If you'd like to see good practices, I'd recommend looking at popular frameworks' source, like Laravel or Zend, to see how they deal with this. – Parziphal Sep 07 '16 at 19:57
  • 1
    @Parziphal do you have an idea how many lines these sources consists of? – Your Common Sense Sep 07 '16 at 19:58
  • 1
    @YourCommonSense Well... I think that if you really want to see how the big ones deal with stuff and you really want to learn, you won't care about how many lines you will read. – Parziphal Sep 07 '16 at 20:04
  • 1
    @Parziphal hoe many lines did you read personally? What did you learn? – Your Common Sense Sep 07 '16 at 20:06
  • 1
    @YourCommonSense I once wanted to build my very own framework when I was learning PHP, and I refered to the source of ZendFramework and even Ruby on Rails a lot. I learned what I needed to learn back then. Much of that isn't useful though, when you use an already built framework like Laravel, which I use now. But if Vadimster wants to learn that specific thing, an _option_ to learn is to read other systems source. I did so myself, and I can tell you, you can actually learn. – Parziphal Sep 07 '16 at 20:15
  • 1
    Here's a good point to begin: https://github.com/zendframework/zend-db/blob/master/src/Adapter/Driver/Pdo/Statement.php#L262 – Parziphal Sep 07 '16 at 20:18

1 Answers1

2

There are three possible answers to this question.

  1. If your concern is SQL injection only, and whole SQL query is hardcoded in PHP script (like in your example), then nothing but prepared statement is needed. And thus sanitize_string is overkill and rather irrelevant.
  2. If your concern is SQL injection only, and some parts of SQL are assembled dynamically, you have to protect these parts. But protection should be specific for these parts, which makes sanitize_string rather useless.
  3. If your concern is not only SQL injection but whatever else security or usability issues, then you may want to sanitize or validate your data according to these concerns. One of these cases might utilize sanitize_string as well.
Your Common Sense
  • 156,878
  • 40
  • 214
  • 345