0

Background

I use .htaccess to redirect every URI to a single PHP file that displays the right page by calling different functions with different inputs based on the requested URI. I found myself checking user input twice. Once in the handling PHP file that checks first if everything is fine before calling the display function and than again within the display function, to make sure nobody exploits the function by calling it with wrong parameters (e.g. with the username of someone else). This means, that I need twice as many mysql querys etc. for checking valid inputs.

I can't just check within a function because based on those checks, the handling PHP file calls different functions. So I have to perform the checks at least there. But the more I think about it, the more I wonder, if it is necessary to check again within a function. I started this because I was worried that somebody might call one of my functions with improper input, but I guess if somebody can call one of my PHP functions and pass wrong parameters, I'm pretty much screwed already right? Because as far as I understand PHP, this would mean that this person already has access to my server at least via a shell or something like that.

I should further add, that I never ever call a function via a variable like discussed in this thread: Call PHP function from URL

Question

Is it a security risk, not to check the parameters passed to a function within that function, if you already checked it before the function call?

Community
  • 1
  • 1
Simeon
  • 408
  • 1
  • 7
  • 17
  • 1
    It's usually a good idea to check inside the function, just in case you call that function from somewhere that wasn't previously expected as that may allow invalid values to be passed in. – Niet the Dark Absol Mar 19 '14 at 15:42
  • If the display functions also handles security it servers two purposes which should be avoided (imo). – Yoshi Mar 19 '14 at 15:46

2 Answers2

0

Good rule of thumb - Pretend EVERYONE is out to pwn your app! (Yes get out your tin foil hat!). Good practice would be to clean the data for example putting data in a database, you should still clean it coming back out of the database.

Unless you are in a position where one of your functions is providing the parameters and there is no way to access the (potentially insecure) function except through the preparation function then I would advise cleaning all data

HTHs - Thanks, //P

YFP
  • 331
  • 3
  • 8
0

Check out Private Public and Protected Functions

mathius1
  • 1,381
  • 11
  • 17