1

For just regular use in my PHP code, that is. Not like I'm going to pass it to my queries or anything.

Hamster
  • 2,752
  • 6
  • 25
  • 37
  • 1
    Define "regular use"? Can you show some examples? – Pekka Dec 29 '10 at 23:11
  • Sanitization eases the mind and can mitigate unexpected edge cases in the processing logic. But only escaping at the right places brings security. Also every variable needs specific [filtering](http://sourceforge.net/p/php7framework/wiki/input/), but you cannot possibly sanitize everything. – mario Dec 29 '10 at 23:18
  • Well I think the closest thing to a danger would be checking if files exist by the given name within a directory list... – Hamster Dec 30 '10 at 01:45

5 Answers5

7
  • If you pass them to SQL queries, you get an SQL injection
  • If you use them to form file names, you get an arbitrary file reading vulnerability
  • If you output them as-is to the user as a part of HTML page, you get an XSS vulnerability
  • If you output them to a file, you may get a malformed file if it has some predetermined formatting
  • If you're just comparing the value with a set of predefined values, you're fine.
  • If you're converting it to a number, you're fine as long as any number works for you
zeuxcg
  • 8,888
  • 1
  • 23
  • 33
2

This can really be answered only by stepping through your code, and looking exactly what it does. There could be pitfalls in your code (like a badly built switch statement) that could require sanitation.

Other than database queries, general scenarios where you need to sanitize incoming data include:

  • Using it in a file name
  • Using it to include a file
  • Using it to pass parameters to a program executed through exec()
  • Outputting it to HTML
Pekka
  • 431,103
  • 135
  • 960
  • 1,075
0

You need whatever your application and its security require, keeping in mind that you can get absolutely anything (or nothing) in a $_GET parameter. Maybe you are not using the value in queries, but you may be subject to a cross-site scripting attack if you blindly use a value in a page, for example. "Harmless" websites can easily fall into a cross-site scripting attack.

Never trust user input, yes?

Andrew
  • 14,115
  • 4
  • 46
  • 64
0

You need to sanitize variables depending on the content of them and the use of them.

so if you have a variable like so:

  • $_GET['page_id']

And your using within the database, then your sanitize it.

if you have a variable like so:

  • $_GET['action']

And your planning on using like

  • require_once "pages/" . $_GET['action'] . ".php"

then you sanitize before you do that, otherwise just make sure that register_globals is off and you will be ok aslong as your not using them in places without considerable thought

RobertPitt
  • 55,891
  • 21
  • 113
  • 158
0

Everything that's is not coming from your server should be sanitized! This includes $_GET, $_POST, $_SERVER just to name a few.

Alfred
  • 58,861
  • 31
  • 141
  • 183