Sanitize Variables, No Matter What
The part you already know
It’s obvious that you need to “sanitize” (validate) user input variables. Never trust user input! If you’re expecting a number, make sure the user didn’t enter in alpha characters. Hackers (and clever web people) can “fake” an input into your form — even if you have JavaScript validation or use HTML inputs such as a combo box, you need to always validate what the user is trying to insert into your database to avoid SQL injection attacks.
The part I recently learned
I made an e-commerce that went through a PCI compliance audit (making sure the website is safe and secure, since we’re collecting credit card information).
If a user is not logged into the website, but they need to be, then they are redirected to the login page- and I add variables/values to the URL to know they were coming “from” (so I can send them back there after they login). This URL parameter is stored in a hidden text box, which is passed into the page that processes the login “action”. This variable is not stored in my database; it’s merely used to know where to send the user afterwards. So I didn’t think I had to sanitize it.
The scan that this company ran (for the PCI compliance) detected I had a hidden text box on my page, and put in a (potentially) “malicious” string into the parameter in the URL that matched the text box’s name — simulating a cross-site scripting attack. I failed this part of the PCI compliance test because I was susceptible to the cross-site scripting attack; even though the code wouldn’t affect my database (it would ultimately take them to a URL that doesn’t exist).
Lesson learned
Sanitize and validate everything! By sanitizing this extra piece (that doesn’t even affect user data, or anything on my end), I passed this part of the PCI compliance.
Like this style of writing? 👍👍 Interested in creating a PHP web application and already know what a “variable” is and the concept of an “if” statement? Check out my book: Web Development for Intermediate Programmers — with PHP
