Geek Answers Handbook

Should the function or caller be responsible for checking input?

I am doing a security audit on a rather large php application and wondering where I should enable user input confirmation.

Should I check the data and then send clean data with server-side functions, or should I rely on each function to do this my own checks? Or even both?

Is there any standard or best practice for this kind of thing?

Currently, the application works both inconsistently, and I would like to make things more consistent.

+7
security php user-input
source share
5 answers

You should definitely check the data from the outside as soon as possible. Depending on the architecture, authentication within responsible functions may be the second step, but it does not depend on authentication, but it checks the data when it enters your application.

The benefits of checking internal functions as a complement to the previous test are that it’s easier (and safer) to maintain the system, because (sloppier) developers after you can’t break the application. If you have an application with plugin support, for example. third-party plugins should also have safe features.

+6
source share

Both are the best answer. Data validation must be performed in each function that will process the data in order to avoid the development problem of Hope Driven Development ( HDD )

+8
source share

I think that if you can do both, and time / resources are not a problem, why not?

+2
source share

It depends on the application / definition of the application. But traditionally, your functions are used in places where $ object-> doSomething () does just that. Based on the check there, you prevent the ability to do something () of your OWN acccord, you know?

Also, if you continue checking out, you can easily manage it. There is no need to look for this internal function. Keep it OOP but like it more

$ data = $ validator-> sanitizeSomething ($ data); $ Object-> iNoToSpd ($ data);

this keeps your validation rules separate and easy to maneuver, as well as your internal functions.

To clarify, let's say you have a db object that adds an array to the table:

class db { function addRow($table, $associativeArray) { // primitive i know, just an example } }

Do you want your check to be there?

 function addRow($table, $associativeArray) { if( isset( $assiciativeArray['description'] ) { // validate } }

it would be stupid - you need to have the object in which you work,

 class product { function update() { if( $this->validate() ) { $this->db->addRow($this->toArray()); // or something, you get the idea, ya? } } function validate() { if( $this->description != "") { return true; } return false; } }
+2
source share

Checking on the backend is similar to checking passengers after they board a plane. The whole point of checking is to prevent the injection of elements that can drown your application. Therefore, you must check before entering the gate :)

+2
source share

More articles:


All Articles