Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have been writing php for quite some time and never really thought about it until now but if i were to just use a raw post variable in an if statement does it have the slightest chance of being harmful? or is it only harmful in mail,mysql or file strings?
No. A string in itself is not harmful unless there’s a bug in PHP.
Strings can be harmful if you make specific assumptions about the data and use it in sensitive processes without validating them. Think about values you insert in SQL statements, file names, fragments used in eval (which you should never use anyway)…
You could basically say that these strings are all executed or used in an execution in some way.
If you get input from a user, and use that input without validation in those situations, you’re at risk.
Inside an if statement (I assume you’re talking about a string comparison, like
if (userInput === 'whatever')) this is not a problem at all. In this case, you’re only comparing data and nothing gets executed.