Software Development

Cleaning input enough?

Input validation is a known issue, but writing some PHP-code today let me write the following and I’m wondering if I forgot something. It is only to make sure no cleansed variable will enter a switch statement for example.

  if (isset(_POST['action']))    if (strlen(preg_replace("/[^a-zA-Z0-9-]/i","",_POST['action'])) == 0)
      page_action =_POST['action'];
      page_action = '';
  elsepage_action = '';
  switch ($page_action) {

For now, I need to check the code that no $_POST variable is entering the code unchecked before I put the code online. This also includes variables for SQL-statements to eliminate SQL-injections.

By Hans Spaans

Unix & security consultant with a passion for Linux, Solaris, PostgreSQL, Perl and network services, but also a strong believer in open and free source, standards and content.