Avatar of dsrnu
dsrnu
 asked on

I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?

I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?
$_GET['string'] = 'gamma';

$valid_get_values = array('alpha', 'beta');

if (in_array($_GET['string'], $valid_get_values)
{
	// proceed with valid value
}
else
{
	exit();
}


// as opposed to

if (ctype_alpha($_GET['string'] && in_array($_GET['string'], $valid_get_values)
{
	// proceed with valid value
}
else
{
	exit();
}

Open in new window

PHP

Avatar of undefined
Last Comment
Ray Paseur

8/22/2022 - Mon
haloexpertsexchange

that all depends on what you are trying to do with the information that you are using from the $_GET.
dsrnu

ASKER
id like to pass it to a db transaction as well as shoot it back out to the user
dsrnu

ASKER
what would be the difference though?
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
haloexpertsexchange

well for one thing this  ctype_alpha($_GET['string'] checks to make sure that it is made up of letters, if you want to check to see if you have an alphanumeric string then you need to use ctype_alnum.
If you are certain that you are only going to validly get values that are in that array, then checking to make sure that you have an alphanumeric string is kinda overkill but it will not hurt either.
dsrnu

ASKER
From https://www.owasp.org/index.php/Data_Validation#Accept_known_good

Accept known good

This strategy is also known as "whitelist" or "positive" validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be:

    Strongly typed at all times
    Length checked and fields length minimized
    Range checked if a numeric
    Unsigned unless required to be signed
    Syntax or grammar should be checked prior to first use or inspection
ASKER CERTIFIED SOLUTION
haloexpertsexchange

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
dsrnu

ASKER
halo.. my thoughts is that doing the simpler validations would help performance given that if I do an in_array check with an invalid/tampered lengthy $_GET value, that would result to a slower performance... even though the time to process the in_array check isn't noticeable, i would say that the best practice approach of doing simpler validation checks first makes the code more finely tuned
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
dsrnu

ASKER
haven't seen your responses in a while ray! glad to hear your input! =)
Ray Paseur

Thanks for the points.  Good luck with it, ~Ray