Home/ Questions/Q 5983647
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-22T22:15:39+00:00

I realize that user input POST data needs to be escaped, but what about

  • 0

I realize that user input POST data needs to be escaped, but what about non-user post data?
I would believe that one could take a snapshot of a webpage and insert new malicious code into a form that would be submitted along with a $_POST that could potentially cause issues like if $_POST contained PHP code. Is this a common or even possible vulnerability?

what about with the following, would this be sufficient:

 <?php
function strip_Bad_Chars($data){

$data = preg_replace('/[^0-9a-zA-Z\.\_]/', '_', $data) ;

return $data ;
 }

function Sanitize($data){
if(is_array($data)){
    foreach($data as $key => $value){
        $data[$key] = strip_Bad_Chars($value) ;
    }
}else{
    $data = strip_Bad_Chars($data) ;
}

return $data ;
}
?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Does all POST data need to be sanitized?

    No.

    But all external data you use somewhere always needs to be sanitized, no matter whether it comes from a human being, a robot posing as one, or some other source.

    • Before you inject a string into a SQL query, it needs to be escaped with the right function, or put into a parametrized query.
    • Before you use some data as a parameter to a command line call, it needs to be escaped with the right function.
    • And so on, and so on.

    However, none of this can be done using one sanitation method. Sanitation needs to be done individually for each way you plan to use the data. Running a global sanitation method on the data like you show in your code will only serve to break the data, and not provide sufficient security.

    • 0