Yesterday I took a part in interview for PHP developer postion. My job was to solve 15 questions quite simple test. One of the questions was to decide wether code similar to below should be treated as unsafe. I gave a wrong (as it turned out) answer and the argumentation from the other person on that interview was quite surprising (at least to me).

Code was something like that:

function someFunction($a)
{
    echo $a * 4;
}

someFunction($_GET['value']);

Possible answers were:

• always,
• only when register_globals is enabled,
• never.

You could get one point for correct answer and second one for giving good explanation (argumentation) on answer chosen answer.

My answer was third: this code is never unsafe. Plus argumentation: Because, this is just a simple equation. There are no file or database operations here, no streams, protocols, no nothing. It’s just an equation. Nothing else. Attacker is unable to do anything wrong with PHP script, not matter how malformed URL query he or she will try to execute. No chance.

I’ve got zero points. Neither my answer was correct, nor my argumentation was accepted. The correct answer was: this code is always unsafe — you should always escape, what you got from URL query.

My question is: Is this really good point of view? Do we really have to always use a rule of thumb, that anything taken directly from query is unsafe, if not filtered, escaped or secured in any other way? Does this means, that I teach my students an unsefe coding methodologies, becuase on very first PHP lecture they write a script for calculating a triangle area and they’re using unescaped, unfiltered params from URL in their task?

I understand, that security and writing safe code should be a matter of highest priority. But, on the other hand, isn’t that a little bit of safe-code-fascism (forgive me, if I offended someone) to threat any code unsafe, even it no one is able to do any harm with it?

Or maybe I’m completely wrong and you can do some harm on function that echoes times four, what you gave to it?