Home/ Questions/Q 5977141
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T21:19:41+00:00

Do I need to escape/sanitize the following? $_SERVER[‘HTTP_USER_AGENT’] in a PHP script (not inserted

  • 0

Do I need to escape/sanitize the following?

  1. $_SERVER['HTTP_USER_AGENT'] in a
    PHP script (not inserted into
    database or displayed to user), for
    example:

    if ($_SERVER['HTTP_USER_AGENT']==$xyz) {
        echo "Congrats, you are using XYZ browser";
} else {
        echo "You are not using XYZ browser.";
}

  2. $_SERVER['HTTP_USER_AGENT'] when
    placed as a session variable, for
    example:

    $_SESSION['userAgent']=$_SERVER['HTTP_USER_AGENT']

  3. Anything that is going to be hashed,
    for example:

    hash('sha512',$randomDataPostedByUser)

  4. User input destined for email body
    (in other words, I’ve already taken
    care of email header injections).

If any of the above do need to be excaped/sanitized, what is the best method for each case?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    No, there is no need for sanitation in any of the examples you show, with the following very rare exception for the mail body example:

    (Windows only) When PHP is talking to a SMTP server directly, if a full stop is found on the start of a line, it is removed. To counter-act this, replace these occurrences with a double dot.

    However, you may need to sanitize the session variable later, depending on what you are going to do with it.

    Other notes:

    • Your first example doesn’t seem to make sense, because user agent strings vary heavily. You will have to use strstr() or regular expressions to match user agents.

    • Storing the user agent in a session variable might not be a good idea if you’re doing comparisons – just pull it from the $_SERVER array when you need it.

    • 0