Dumping request parameters to database - safe?

Asked Mar 29 '18 at 07:50

Active Mar 29 '18 at 07:50

Viewed 13 times

I'm currently saving request parameters of API calls into a MySQL table for logging purposes.

I'm using the following.

$log->info('Request', var_export($request->get_params(), true))

Also, one of the parameters is a JSON string.

Should I escape each parameter individually for security purposes before writing to the database?

Thanks,

asked Mar 29 '18 at 07:50

Krt_Malta

2

It depends on how you're actually saving the data to the database. The posted code only passes a string to a method and has nothing to do with the actual implementation of the database insert. If it's using parameterized Prepared Statements (which it _really_ should), you should be fine. – M. Eriksson Mar 29 '18 at 07:56
There is no difference here to any other data coming from the user. You *always* need to treat *any and all* user-supplied data like a leaking container of atomic sludge. And yes, obviously it's possible to do that safely. – deceze Mar 29 '18 at 07:59

0 Answers0