dsrnu
asked on
I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?
I check if $_GET value is valid by seeing if it is in a list of valid values. Do I also need to check if it's an integer, required and/or alphanumeric?
$_GET['string'] = 'gamma';
$valid_get_values = array('alpha', 'beta');
if (in_array($_GET['string'], $valid_get_values)
{
// proceed with valid value
}
else
{
exit();
}
// as opposed to
if (ctype_alpha($_GET['string'] && in_array($_GET['string'], $valid_get_values)
{
// proceed with valid value
}
else
{
exit();
}
that all depends on what you are trying to do with the information that you are using from the $_GET.
ASKER
id like to pass it to a db transaction as well as shoot it back out to the user
ASKER
what would be the difference though?
well for one thing this ctype_alpha($_GET['string' ] checks to make sure that it is made up of letters, if you want to check to see if you have an alphanumeric string then you need to use ctype_alnum.
If you are certain that you are only going to validly get values that are in that array, then checking to make sure that you have an alphanumeric string is kinda overkill but it will not hurt either.
If you are certain that you are only going to validly get values that are in that array, then checking to make sure that you have an alphanumeric string is kinda overkill but it will not hurt either.
ASKER
From https://www.owasp.org/index.php/Data_Validation#Accept_known_good
Accept known good
This strategy is also known as "whitelist" or "positive" validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be:
Strongly typed at all times
Length checked and fields length minimized
Range checked if a numeric
Unsigned unless required to be signed
Syntax or grammar should be checked prior to first use or inspection
Accept known good
This strategy is also known as "whitelist" or "positive" validation. The idea is that you should check that the data is one of a set of tightly constrained known good values. Any data that doesn't match should be rejected. Data should be:
Strongly typed at all times
Length checked and fields length minimized
Range checked if a numeric
Unsigned unless required to be signed
Syntax or grammar should be checked prior to first use or inspection
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
halo.. my thoughts is that doing the simpler validations would help performance given that if I do an in_array check with an invalid/tampered lengthy $_GET value, that would result to a slower performance... even though the time to process the in_array check isn't noticeable, i would say that the best practice approach of doing simpler validation checks first makes the code more finely tuned
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
haven't seen your responses in a while ray! glad to hear your input! =)
Thanks for the points. Good luck with it, ~Ray