Jump to content

Recommended Posts

Hey Guys!

I have a doubt...let me put it, in a simple example...

 

Lets say I have a variable coming from a flash application (coming from a client) going to php...

 

$item_name = $_POST['item_name'];

 

$item_name wont go to mysql/db so I dont need mysql_real_escape_string right?

$item_name will only be used to compare it with a string value, like this:

 

if ($item_name == 'ItemOne')
{
//etc...
}

 

Do I need to validate $item_name ?? if so...why?

 

Thanks a lot in advance!

Cheers,

Link to comment
https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/
Share on other sites

If you're only ever comparing it to a list of exact values, you don't have anything to worry about. The reason you need to escape user input before using it in an SQL query, is because you embed the user input directly into a variable. That means whatever the user enters, left unescaped, could alter what the statement does.

 

For example, say the user enters "' OR 1=1 --". The PHP could look like:

 

$sql = "select * from users where username = '{$userInput}'";

 

But what you're actually sending to the server is:

 

select * from users where username = '' OR 1=1 --'

 

Comparing variables doesn't have this issue.

Awesome, thanks a lot Adam for your kind help!

 

I have one last question regarding this...

What if the variable is only used to send an email from php, something like this:

 

$item_name = $_POST['item_name'];

//etc...
$mail_Body = "testing the value of: $item_name";
mail($mail_To, $mail_Subject, $mail_Body);
//etc...

Should I validate $item_name in this case?

 

Thanks a lot again!!

Cheers!

Nope, just run it through htmlspecialchars as you output it. That will convert all HTML-related characters into their entity format, so "<b>" will literally be displayed in the browser as "<b>", and in the source as "<b>". That is unless you want to allow HTML emails of course..

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.