1

I will try and phrase this question appropriately, and I have never really though about it properly so I just wanted to get some clarification to wrap my head around it properly.

When you are passing variables into a function, is it the same as using quotes and typing the data in, or is it more safe to pass everything as a variable. Here's an example of what I mean:

$foo = "bar"; // Variable
function($foo); // some function

// Is this the same as
function("bar");

// Likewise if I pass
$foo = $_POST['bar'];
function($foo);

Can this be escaped in the post input by adding ) or a combination of back slashes? Is it safer to use variables always instead of putting them in directly?

By using the following on a username field:

$var = trim($_POST['username']);
$var = preg_replace('/[^0-9a-zA-Z]/',"",$var);

I technically should be safe to trust that variable in stuff like databases and sensitive areas (of course using prepared statements when possible) but it can't be escaped and interact with the PHP correct? I always like to write my applications as secure as possible, even though they most likely will never be seen by the general public, but one can never be too safe with it.

I know for a fact, using the example above, the field should only contain alpha numeric sequences with no spaces or any special characters, so I just want to be certain I am doing this properly and by passing it as $var through all my functions that its safe and cannot interact with the functions themselves.

Kaboom
  • 674
  • 6
  • 27
  • I guess this is what you looking for: http://php.net/manual/en/function.filter-var.php – Felippe Duarte Aug 17 '18 at 19:23
  • Regarding escaping there is only one way to protect against [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's – RiggsFolly Aug 17 '18 at 19:24
  • _// Is this the same as_ Yes pretty much – RiggsFolly Aug 17 '18 at 19:25
  • @RiggsFolly In regards to this element, when I say escaping I mean escaping outside of its variable before we even get to the database part. If they post into the field with ); somethinghere; that won't be interpreted by the php directly correct? like if the function is `fn($var){}` and the post `NULL){}somethingmalicoushere;` it WONT interact with that `fn` function directly is what I am asking. – Kaboom Aug 17 '18 at 19:26
  • PHP will not interpret code passed to a function as code, it will stay as one string variable. There is no "PHP injection" version of Little Bobby Tables. The exception is when you do it intentionally using the eval() function - http://php.net/manual/en/function.eval.php – Dave S Aug 18 '18 at 00:09
  • Thank you Dave, this was the clarification I was looking for. I believed that tone the case but I didn’t want to just make that assumption. Can you drop it as an answer for me please so I can accept it for future users? Thanks! – Kaboom Aug 19 '18 at 01:03

0 Answers0