2

I'm aware of how to protect against SQL injections & stuff & validating user input... but was wondering if you are taking data from a user input field & the data is a string how safe is this data to use inside your code for stuff like:

if ($i == $_POST['userinput']) {
    ....
}

The above is just an example at trying to get across my question at asking what steps you need to take & in what circumstances.

Obviously it wouldn't work in the above instance, but just trying to prevent people doing something like an include('whatever.php'); etc.

Improve this question
0

5 Answers 5

Reset to default
4

Making a comparison against a variable, like you show, is not dangerous in itself, so there's nothing to worry about there.

User input becomes potentially dangerous when used, in an include statement, in a database query, in a file name, in an eval() call, in a HTML page, etc. every one of those uses has one correct sanitation method.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

comparing to user provided variables is fine, they are simply handled as string. regarding your include('whatever.php') example, use whitelisting to protect against it:

if(!in_array($userinput, array('libs.php', 'my.php'))) {
  die('sorry pal');
}
Improve this answer

1 Comment

Thanks... I thought so, just wanted to make sure :)
1

Unless you are calling eval or similar functions that create and run actual PHP code from a string like create_function, you generally don't need to worry about actual code injection.

As you've already pointed out, you do need to be careful when performing includes or calling functions based directly on user input. The fact that you knew this means that you're probably already well-prepared in that regard.

Improve this answer

Comments

1

Data coming from users is potentially dangerous, but it doesn't mean it's dangerous always -- it depends on what you do with it.

While filtering/whitelisting/sanitizing data is always good practice, the absolute minimum you must do is avoid using it directly to do things that interact actively with the environment: dealing with the filesystem (includes, fopen, file_(get|put)_contents, etc.), the database, generating HTML output and so on.

Of course, different cases call for different measures: for example, there is no point in using (as I often see) htmlspecialchars() when building database queries -- that function's purpouse is to avoid code injection in browser output, so it should be used for that.

In short there is no magic one-sentence answer, you have to know what's dangerous and when, and act accordingly.

Improve this answer

Comments

-1

As a string by itself, it is fine.It is still safer to addslashes to ensure that symbols such as ' and " do not clash. It's mainly a danger to SQL Databases.

Improve this answer

3 Comments

please don't advise to use addslashes!
Addlashes in itself adds no safety whatsoever.
addslashes() is the equivalent of using an overcooked spaghetti noodle as a seat belt in your car.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.