Validating, but when...doubt!

[nightkarnation]

Hey Guys!

I have a doubt...let me put it, in a simple example...

 

Lets say I have a variable coming from a flash application (coming from a client) going to php...

 

$item_name = $_POST['item_name'];

 

$item_name wont go to mysql/db so I dont need mysql_real_escape_string right?

$item_name will only be used to compare it with a string value, like this:

 

if ($item_name == 'ItemOne')
{
//etc...
}

 

Do I need to validate $item_name ?? if so...why?

 

Thanks a lot in advance!

Cheers,

[Adam]

If you're only ever comparing it to a list of exact values, you don't have anything to worry about. The reason you need to escape user input before using it in an SQL query, is because you embed the user input directly into a variable. That means whatever the user enters, left unescaped, could alter what the statement does.

 

For example, say the user enters "' OR 1=1 --". The PHP could look like:

 

$sql = "select * from users where username = '{$userInput}'";

 

But what you're actually sending to the server is:

 

select * from users where username = '' OR 1=1 --'

 

Comparing variables doesn't have this issue.

[nightkarnation]

Awesome, thanks a lot Adam for your kind help!

 

I have one last question regarding this...

What if the variable is only used to send an email from php, something like this:

 

$item_name = $_POST['item_name'];

//etc...
$mail_Body = "testing the value of: $item_name";
mail($mail_To, $mail_Subject, $mail_Body);
//etc...

Should I validate $item_name in this case?

 

Thanks a lot again!!

Cheers!

[Adam]

Nope, just run it through htmlspecialchars as you output it. That will convert all HTML-related characters into their entity format, so "<b>" will literally be displayed in the browser as "<b>", and in the source as "<b>". That is unless you want to allow HTML emails of course..

[nightkarnation]

Great!

Thanks a lot!!!