1

My PHP Script is receiving an array via $_POST. The array has (or is expected to have) the following format:

array (
  0 => 
  array (
'Datum' => 
array (
  0 => '2016-11-29',
  1 => '2016-11-29',
  2 => '2016-11-29',
),
'VK' => 
array (
  0 => '18 Worker',
  1 => '1 Other Worker',
  2 => '11 One more worker',
),
'Dienstbeginn' => 
array (
  0 => '08:00',
  1 => '08:00',
  2 => '08:30',
),
'Dienstende' => 
array (
 0 => '14:00',
  1 => '16:30',
  2 => '16:00',
),
'Mittagsbeginn' => 
array (
  0 => '',
  1 => '11:30',
  2 => '12:00',
),
'Mittagsende' => 
array (
  0 => '',
  1 => '12:00',
  2 => '12:30',
),
'Kommentar' => 
array (
  0 => '',
  1 => '',
  2 => '',
    ),
  ),
)

I have a function that writes the user data into my own variable and converts blank input into NULL-Values for the database to store.

foreach ($_POST['Dienstplan'] as $plan => $inhalt_tag) {
    foreach ($inhalt_tag as $column => $lines) {
        foreach ($lines as $linenumber => $line) {
            if ($line === '') {
                //Empty fields should be inserted as null values inside the database.
                //TODO: Should we make an exeption for Comments?
                $line = 'null';
            }
            //TODO: Is it a security issue, that we use $column and $linenumber directly? Do we have to sanitize those?
            $Dienstplan[$plan][$column][$linenumber] = sanitize_user_input($line);
        }
    }
}


function sanitize_user_input($data) {
  $clean_data = htmlspecialchars(stripslashes(trim($data)));
  return $clean_data;
}

How secure is this approach? Can I trust $plan, $column and $linenumber to be save in this context? Where is the first point, which an attacker could use to break things?

Bruno
  • 57
  • 8
  • 3
    secure from what? [sql injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1)? its too broad – Kevin Nov 29 '16 at 21:54
  • as you dont do anything with the variables, its 100% secure –  Nov 29 '16 at 22:24
  • The values are stored in a MySQL Database. The stored values are later on presented to the user via HTML. – Bruno Nov 30 '16 at 16:51

1 Answers1

1

How secure is this approach? Can I trust $plan, $column and $linenumber to be save in this context?

No. You're using the wrong tool for the job, at multiple layers.

  1. If you're trying to protect against SQL injection, use prepared statements instead of escaping input.
  2. If you're trying to protect against cross-site scripting, escape on output, never on input.

If you want to validate structured input (i.e. for type safety, and also to enforce input whitelists), check out Ionizer.

Scott Arciszewski
  • 33,610
  • 16
  • 89
  • 206