Does all POST data need to be sanitized?_问答_开发者

I realize that user input POST data needs to be escaped, but what about non-user post data? I would believe that one could take a snapshot of a webpage and insert new malicious code into a form that would be submitted along with a $_POST that could potentially cause issues like if $_POST contained PHP code. Is this a common or even possible vulnerability?

what about with the following, would this be sufficient:

 <?php
function strip_Bad_Chars($data){

$data = preg_replace('/[^0-9a-zA-Z\.\_]/', '_', $data) ;

return $data ;
 }

function Sanitize($data){
if(is_ar开发者_开发问答ray($data)){
    foreach($data as $key => $value){
        $data[$key] = strip_Bad_Chars($value) ;
    }
}else{
    $data = strip_Bad_Chars($data) ;
}

return $data ;
}
?>

Does all POST data need to be sanitized?

No.

But all external data you use somewhere always needs to be sanitized, no matter whether it comes from a human being, a robot posing as one, or some other source.

Before you inject a string into a SQL query, it needs to be escaped with the right function, or put into a parametrized query.
Before you use some data as a parameter to a command line call, it needs to be escaped with the right function.
And so on, and so on.

However, none of this can be done using one sanitation method. Sanitation needs to be done individually for each way you plan to use the data. Running a global sanitation method on the data like you show in your code will only serve to break the data, and not provide sufficient security.

Your data definitely needs to be sanitized. Anything in $_POST or $_GET could have easily been manipulated by the user. In fact, if you would like to try it out, I would recommend downloading Fiddler.

If you implicitly trust any data you are getting from the client, you have an insecure app. Period.

Common? For high-traffic/popular sites, yes. Should you worry about it? It depends upon what you have to lose. If you don't care if the data (or code) gets corrupted/blown away, and/or don't care if the server gets pwned, then security may not be an issue for you.

[soapbox] You need to understand that if you pick up the habit of such sloppy coding, you will hurt yourself in the future. If, for example, I was interviewing you and discovered that you didn't understand sql-injection issues, I would never hire you for anything other than a junior developer position, no matter what 'job experience' you had. [/soapbox]

Just don't do it. Seriously.

Short answer: yes. Anything that is on the client side needs to be sanitized, because people can arbitrarily modify code on the client side of webpages.

The PHP code in a post variable would only be an issue if you eval'd. I can't really think of any reason that you would do this.

IMHO you are always better to sanitize the data that you get.

Answer to the question, whether all post data has to be sanitized is in my opinion: no.

Why? Because there are cases when you really need PHP, JavaScript or HTML code passed from the user.

Examples? See some CMS systems, that allow you to format your code (using some client-side WYSIWYG editor without any special markups) or even insert PHP code into some pages (eg. Drupal allows it if you really need it and configure it in such way). It is also possible that you want to be able to submit some JS through some form to be included on specific page.

So, to sum up: POST should be sanitized, but some cases are exceptions. Thus, it is correct to say it should be sanitized, but does not have to be sanitized.