Johnny2 Posted March 12, 2013 Report Posted March 12, 2013 When I run code just to check if the $_GET is set, can this (possibly malicious) data be harmful in this instance?... Do I only need to clean the data if I'm going to use it in a calculation or something? if (isset($_GET['badGuyData']) { } Thank you. Quote
falkencreative Posted March 13, 2013 Report Posted March 13, 2013 I am not an expert on PHP security. But as far as I know, security issues primarily come into play when: -- something that a user inputs is used within a database query somehow, potentially leading to SQL injection if it isn't properly escaped -- something that a user inputs is displayed to the page without being properly escaped As far as I understand it, isset() simply checks if a variable exists -- it doesn't "use" the variable, so it should be fine. Quote
Johnny2 Posted March 14, 2013 Author Report Posted March 14, 2013 I am not an expert on PHP security. But as far as I know, security issues primarily come into play when: -- something that a user inputs is used within a database query somehow, potentially leading to SQL injection if it isn't properly escaped -- something that a user inputs is displayed to the page without being properly escaped As far as I understand it, isset() simply checks if a variable exists -- it doesn't "use" the variable, so it should be fine. Thanks Ben, Do you feel that the incomming data should be rendered harmless if I initially "clean" it with this line of code?: $data_cleaned = preg_replace('#[^A-Za-z]#i', '', $data_dirty); Quote
falkencreative Posted March 14, 2013 Report Posted March 14, 2013 I believe that should work fine. Just make sure to do a little testing and ensure the regular expression is working the way you expect it to. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.