We help IT Professionals succeed at work.

I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?

dsrnu
dsrnu used Ask the Experts™
on
I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?
$_GET['string'] = 'gamma';

$valid_get_values = array('alpha', 'beta');

if (in_array($_GET['string'], $valid_get_values)
{
	// proceed with valid value
}
else
{
	exit();
}


// as opposed to

if (ctype_alpha($_GET['string'] && in_array($_GET['string'], $valid_get_values)
{
	// proceed with valid value
}
else
{
	exit();
}

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
that all depends on what you are trying to do with the information that you are using from the $_GET.

Author

Commented:
id like to pass it to a db transaction as well as shoot it back out to the user

Author

Commented:
what would be the difference though?
well for one thing this  ctype_alpha($_GET['string'] checks to make sure that it is made up of letters, if you want to check to see if you have an alphanumeric string then you need to use ctype_alnum.
If you are certain that you are only going to validly get values that are in that array, then checking to make sure that you have an alphanumeric string is kinda overkill but it will not hurt either.

Author

Commented:
From https://www.owasp.org/index.php/Data_Validation#Accept_known_good

Accept known good

This strategy is also known as "whitelist" or "positive" validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be:

    Strongly typed at all times
    Length checked and fields length minimized
    Range checked if a numeric
    Unsigned unless required to be signed
    Syntax or grammar should be checked prior to first use or inspection
If you are going with that scheme then I would say yes double check to make sure what you are getting is a valid string with only letters in it.
As long as the extra validation is not noticeably slowing down performance you can't have too much validation on $_GET information which is potentially prone to user interference.

Author

Commented:
halo.. my thoughts is that doing the simpler validations would help performance given that if I do an in_array check with an invalid/tampered lengthy $_GET value, that would result to a slower performance... even though the time to process the in_array check isn't noticeable, i would say that the best practice approach of doing simpler validation checks first makes the code more finely tuned
Most Valuable Expert 2011
Top Expert 2016
Commented:
Chances are if you're evaluating the contents of a GET argument, you are dealing with people clicking links.  If so, your site only needs to run at the speed of the people, which is to say that the validation and sanitization are not a performance issue.

Here is a code snippet that shows how it's done.  DO NOT USE THIS DESIGN IF THE INPUT IS NUMERIC.
http://www.laprbass.com/RAY_validate_input.php

You might also want to learn about filter_var() -- it's not perfect yet, but it's pretty good.

Best, ~Ray
<?php // RAY_validate_input.php
error_reporting(E_ALL);


// SHOW HOW TO USE A PRE-DEFINED ARRAY OF VALUES TO CREATE A FORM AND TO VALIDATE THE INPUT FROM THE FORM
// GET METHOD PROCESSING WILL USE THE ARGUMENTS IN THE URL STRING - EASY TO EXPERIMENT WITH GOOD AND BAD INPUT VALUES


// THE ARRAY OF ACCEPTABLE VALUES
$good_values
= array
( 'Red'
, 'Green'
, 'Blue'
)
;

// IF THE FORM HAS BEEN FILLED IN OR THE URL HAS A VALUE
if (!empty($_GET["c"]))
{
    // IF THE POSTED VALUE IS NOT FROM OUR ORIGINAL DATA
    if (!in_array($_GET["c"], $good_values)) die("BOGUS INPUT");

    // PROCESS THE POSTED VALUE HERE
    echo "YOU CHOSE {$_GET["c"]} <br/>";
    die( PHP_EOL . "NICE CHOICE" );
}

// IF NOTHING IS POSTED YET, GENERATE THE HTML FORM TO RECEIVE THE DATA
echo "<form>";
echo "CHOOSE A COLOR";
echo "<select name=\"c\">";

// ITERATE OVER THE ARRAY TO PRODUCE THE CHOICES
foreach ($good_values as $g)
{
    echo "<option value=\"$g\">$g</option>" . PHP_EOL;
}
echo "</select>";
echo "<input type=\"submit\" />";
echo "</form>";

Open in new window

Author

Commented:
haven't seen your responses in a while ray! glad to hear your input! =)
Most Valuable Expert 2011
Top Expert 2016

Commented:
Thanks for the points.  Good luck with it, ~Ray