For just regular use in my PHP code, that is. Not like I'm going to pass it to my queries or anything.
- If you pass them to SQL queries, you get an SQL injection
- If you use them to form file names, you get an arbitrary file reading vulnerability
- If you output them as-is to the user as a part of HTML page, you get an XSS vulnerability
- If you output them to a file, you may get a malformed file if it has some predetermined formatting
- If you're just comparing the value with a set of predefined values, you're fine.
- If you're converting it to a number, you're fine as long as any number works for you
This can really be answered only by stepping through your code, and looking exactly what it does. There could be pitfalls in your code (like a badly built switch statement) that could require sanitation.
Other than database queries, general scenarios where you need to sanitize incoming data include:
- Using it in a file name
- Using it to include a file
- Using it to pass parameters to a program executed through
exec() - Outputting it to HTML
You need whatever your application and its security require, keeping in mind that you can get absolutely anything (or nothing) in a $_GET parameter. Maybe you are not using the value in queries, but you may be subject to a cross-site scripting attack if you blindly use a value in a page, for example. "Harmless" websites can easily fall into a cross-site scripting attack.
Never trust user input, yes?
You need to sanitize variables depending on the content of them and the use of them.
so if you have a variable like so:
$_GET['page_id']
And your using within the database, then your sanitize it.
if you have a variable like so:
$_GET['action']
And your planning on using like
require_once "pages/" . $_GET['action'] . ".php"
then you sanitize before you do that, otherwise just make sure that register_globals is off and you will be ok aslong as your not using them in places without considerable thought
Everything that's is not coming from your server should be sanitized! This includes $_GET, $_POST, $_SERVER just to name a few.
来源:https://stackoverflow.com/questions/4558673/php-is-there-any-kind-of-sanitization-i-need-for-using-get-data