Checking unsanitized POST values

Question

I am just starting PHP and have a form where users can submit data. Before I display or send the data, it is sanitized and validated (trim, stripslashes, and htmlspecialchars) and saved as new variables which are then used instead of the directly submitted values.

My question is, is it safe to do anything at all with the unsanitized values? Do the security implications only become apparent when the values are displayed?

Specifically, would there be any problems with doing code such as

if(empty($_POST["theirname"]){code;}

if they tried some kind of attack or placed code into that box while submitting?

Currently I sanitize all input before checking if they are empty, but I want to avoid errors/warnings in this case if a user submits a blank box for example (as the sanitizing function could be called on POST values that don't exist)

Answer 1

PHP's filter_* functions. They're functions that do sanitizing for every variable you have, be it server variables (like $_SERVER, $_GET, $_POST, $_REQUEST) or your own variables.
Since you want to sanitize $_POST, here's what you should use:

$theirname = filter_input(INPUT_POST, "theirname");
if (!$theirname) {
    echo "theirname is invalid!";
} else {
    // your code
}

filter_input can check if the variable exists, if it's empty, and if it has anything that can make your code/website vulnerable (HTML tag injection, JS code injection, PHP code injection by evaluation, etc.). It's way better than checking it by yourself.

Of course, you can always just check it by yourself if you decide not to trust the filter_* functions, in that case you need to:

• Check if the variable exists by using is_null and/or checking against NULL;
• Check if the variable is empty;
• Check if the variable has special characters (and escape them properly);
• Check if the variable has HTML or XML tags (and escape/delete them);
• Check if the variable has JS code or script tags (and escape/delete them);
• Check if the variable has PHP code and if it's trying to execute it via eval;

As you can see, it's an extensive list, and if you don't want to rely on PHP's built-in functions, that's what you need to do.

Sources:

• PHP: Filter Functions - Official PHP docs
• PHP 5 Filter functions - W3Schools

Answer 2

always check for undefined variables first.

if(!is_null($_POST["theirname"])){


if(empty($_POST["theirname"]){code;}

}

It is absolutely required to check for existence for any variable.

$bingo = isset($variable);

Answer 3

The error in your example is you have missing ) in your if judgment.

//Your code
if ( empty($_POST["theirname"]) { code; }
                              ^^
//Code updated
if (empty($_POST["theirname"])) { code; }

Before checking if your inputs are empty, you could check if your form is defined and is not NULL.

Example:

//Reset.
$msg = $theirname = NULL;

//Check if the form is defined.
if (isset($_POST)) {
   //Check input empty.
   if(empty($_POST['theirname'])) {
      $msg = 'Inputs are required';
   } else {
      $theirname = data_filter($_POST['theirname']);
   }
   //check $theirname.
   if ($theirname) {
      //Do something with $theirname...
   }
}

//Filter function.
function data_filter($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}

//Message.
echo $msg;

Answer 4

Normally you want to first check if a variable is defined at all. You can do this by if(!is_null($_POST["theirname"])) If it is defined, then you maybe want to check if it is empty, and if not, do some stuff. (for example sanitizing and / or validating)

if(!is_null($_POST["theirname"])){


  if(!empty($_POST["theirname"])
  {
    //Do some stuff here
  }
  else
  {
    //send notification that the user didn't input any data
  }
}

Answer 5

Checkout filter_var and filter_input.