nightkarnation Posted July 14, 2012 Share Posted July 14, 2012 Hey Guys! I have a doubt...let me put it, in a simple example... Lets say I have a variable coming from a flash application (coming from a client) going to php... $item_name = $_POST['item_name']; $item_name wont go to mysql/db so I dont need mysql_real_escape_string right? $item_name will only be used to compare it with a string value, like this: if ($item_name == 'ItemOne') { //etc... } Do I need to validate $item_name ?? if so...why? Thanks a lot in advance! Cheers, Quote Link to comment https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/ Share on other sites More sharing options...
Adam Posted July 15, 2012 Share Posted July 15, 2012 If you're only ever comparing it to a list of exact values, you don't have anything to worry about. The reason you need to escape user input before using it in an SQL query, is because you embed the user input directly into a variable. That means whatever the user enters, left unescaped, could alter what the statement does. For example, say the user enters "' OR 1=1 --". The PHP could look like: $sql = "select * from users where username = '{$userInput}'"; But what you're actually sending to the server is: select * from users where username = '' OR 1=1 --' Comparing variables doesn't have this issue. Quote Link to comment https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/#findComment-1361568 Share on other sites More sharing options...
nightkarnation Posted July 15, 2012 Author Share Posted July 15, 2012 Awesome, thanks a lot Adam for your kind help! I have one last question regarding this... What if the variable is only used to send an email from php, something like this: $item_name = $_POST['item_name']; //etc... $mail_Body = "testing the value of: $item_name"; mail($mail_To, $mail_Subject, $mail_Body); //etc... Should I validate $item_name in this case? Thanks a lot again!! Cheers! Quote Link to comment https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/#findComment-1361724 Share on other sites More sharing options...
Adam Posted July 15, 2012 Share Posted July 15, 2012 Nope, just run it through htmlspecialchars as you output it. That will convert all HTML-related characters into their entity format, so "<b>" will literally be displayed in the browser as "<b>", and in the source as "<b>". That is unless you want to allow HTML emails of course.. Quote Link to comment https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/#findComment-1361728 Share on other sites More sharing options...
nightkarnation Posted July 15, 2012 Author Share Posted July 15, 2012 Great! Thanks a lot!!! Quote Link to comment https://forums.phpfreaks.com/topic/265684-validating-but-whendoubt/#findComment-1361731 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.