Home/ Questions/Q 806173
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-15T00:12:10+00:00

We all know that all user data, GET/POST/Cookie etc etc needs to be validated

  • 0

We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security.

But when do you stop, once it’s converted into a local variable?

eg

if (isValidxxx($_GET['foo']) == false) {
  throw InvalidArgumentException('Please enter a valid foo!');
}

$foo = $_GET['foo'];
fooProcessor($foo);

function fooProcessor($foo) {
  if (isValidxxx($foo) == false) {
    throw Invalid......
  }
//other stuff
}

To me thats over the top.
But what if you load the value from the database…

I hope I make sense 🙂

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    The key point is that external (user) input to your program cannot be trusted, and needs to be validated before use. It doesn’t matter whether that input is derived from a web form, a configuration file, or a user-accessible database. A user of your code can always provide garbage values, either maliciously or by accident. But once the validation has happened, there is no point in re-validating the values – you must trust your own components.

    A database under the sole control of your code can be thought of as just another component of your trusted system. The values in such a database need not be validated, unless you have reason to believe they may be corruptible due to external circumstances. For example, you may want to validate values transferred over a network.

    • 0