3

If you were not using a database with your application, but you do 'echo' or use a $_POST or $_GET variable in your code, do we need to escape them?

Like:

if(isset($_GET['test']){
  echo $_GET['test'];
}

or

function math(){
if(isset($_GET['number'],$_GET['numberr']){
  return $_GET['number']*$_GET['numberr'];
}
return null;
}
Neil Yoga Crypto
  • 615
  • 5
  • 16
  • Basically it depends what are you going to achieve. However you should apply `htmlspecialchars` function before output any variable from user . – barell Mar 12 '14 at 22:52
  • If you're not using a DB there's really no information to worry about protecting. While they could do things that screw up the page they're looking at (like in the above comment), there isn't much long term damage they can do. unless somehow they're getting access to a function like `exec` that could mess up your system. – Andrew Brown Mar 12 '14 at 22:58
  • @Andrew Brown, They could use your page as an attack page against others by posting a link to your page with a querystring that injects a cross-site script into it. And the person who clicks that link, not being web savvy, will think you did it. – developerwjk Mar 12 '14 at 23:00
  • fair point, XSS is a bitch – Andrew Brown Mar 13 '14 at 01:25

2 Answers2

3

Even if you use a database you need to escape or sanitize them before printing. Someone could sneak in stray HTML like <b> that will make your whole page bold, or <script>alert('hello');</script> that will run Javascript.

echo htmlspecialchars($_GET['test']);

This will replace all your < with &lt; and > with &gt; so that the HTML will be treated as text rather than HTML and will not mess up your page.

developerwjk
  • 8,619
  • 2
  • 17
  • 33
0

You should escape them. Also you should use regual expressions to limit the variable content, and to prevent "unintended" characters.

EDIT: Sry to post this as an answer, i am currently not allowed to comment to questions.