开发者

Php security question about post validation

开发者 https://www.devze.com 2023-04-08 19:29 出处:网络
Is the following a valid way to validate some info coming fr开发者_JS百科om a post? function validate($age, $name, $sex) {

Is the following a valid way to validate some info coming fr开发者_JS百科om a post?

function validate($age, $name, $sex) {
    $pdo = new PDO(...);
    $age = (int)$age;
    $name = $pdo -> quote($name);
    $sex = (strtolower($sex) == "m" ? "m" : "f");

    // and then process data with pdo's query method.
}

Do you see any security flaw in this function? If yes, can you help me to fix them?


Not quite.
That's pretty common mistake among PHP users.
Here is a rule you are breaking in your code:

Do not mix data validation with sql security.

Data validation is one matter and sql security is another.
Data validation rules may change. Sql security rules shouldn't.

Although your current code is safe, the very idea of asking such a question is wrong.
You have to use sql protection techniques unconditionally, despite of the data source and contents. That's the only way to be sure.

Besides that, there is just no point in creating different rules for the different fields.
Just run your validation and after that you have to call just the code like this

$db->insert($table,$data);

and let the internals do care of the data (knowing nothing of it's safety, validness or whatever else nonsense). Got the point?


That's totally valid and secure as you won't receive any SQL Injections. Btw, if you will repeat the query, rather than pdo->query go for prepared statements.

0

精彩评论

暂无评论...
验证码 换一张
取 消