1

For just regular use in my PHP code, that is. Not like I'm going to pass it to my queries or anything.

Hamster
  • 2,962
  • 7
  • 27
  • 38
  • 1
    Define "regular use"? Can you show some examples? – Pekka Dec 29 '10 at 23:11
  • Sanitization eases the mind and can mitigate unexpected edge cases in the processing logic. But only escaping at the right places brings security. Also every variable needs specific [filtering](http://sourceforge.net/p/php7framework/wiki/input/), but you cannot possibly sanitize everything. – mario Dec 29 '10 at 23:18
  • Well I think the closest thing to a danger would be checking if files exist by the given name within a directory list... – Hamster Dec 30 '10 at 01:45

5 Answers5

8
  • If you pass them to SQL queries, you get an SQL injection
  • If you use them to form file names, you get an arbitrary file reading vulnerability
  • If you output them as-is to the user as a part of HTML page, you get an XSS vulnerability
  • If you output them to a file, you may get a malformed file if it has some predetermined formatting
  • If you're just comparing the value with a set of predefined values, you're fine.
  • If you're converting it to a number, you're fine as long as any number works for you
zeuxcg
  • 9,216
  • 1
  • 26
  • 33
2

This can really be answered only by stepping through your code, and looking exactly what it does. There could be pitfalls in your code (like a badly built switch statement) that could require sanitation.

Other than database queries, general scenarios where you need to sanitize incoming data include:

  • Using it in a file name
  • Using it to include a file
  • Using it to pass parameters to a program executed through exec()
  • Outputting it to HTML
Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

You need whatever your application and its security require, keeping in mind that you can get absolutely anything (or nothing) in a $_GET parameter. Maybe you are not using the value in queries, but you may be subject to a cross-site scripting attack if you blindly use a value in a page, for example. "Harmless" websites can easily fall into a cross-site scripting attack.

Never trust user input, yes?

Andrew
  • 14,325
  • 4
  • 43
  • 64
0

You need to sanitize variables depending on the content of them and the use of them.

so if you have a variable like so:

  • $_GET['page_id']

And your using within the database, then your sanitize it.

if you have a variable like so:

  • $_GET['action']

And your planning on using like

  • require_once "pages/" . $_GET['action'] . ".php"

then you sanitize before you do that, otherwise just make sure that register_globals is off and you will be ok aslong as your not using them in places without considerable thought

RobertPitt
  • 56,863
  • 21
  • 114
  • 161
0

Everything that's is not coming from your server should be sanitized! This includes $_GET, $_POST, $_SERVER just to name a few.

Alfred
  • 60,935
  • 33
  • 147
  • 186