Input validation for a switch needed?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
alexander.watzinger
Forum Newbie
Posts: 2
Joined: Tue Nov 03, 2009 2:57 am
Location: Vienna, Austria

Input validation for a switch needed?

Post by alexander.watzinger »

I have gotten into an endless argument with a friend about a theoretical security issue and input validation.

If you have a code like this:

Code: Select all

<?php
  $some_value = $_GET['some_field'];
 
  switch($some_value) {
    case 1:
      // do something
      break;
 
    case 2:
      // do something else
      break;
  }
 
  exit;
?>
The $some_value is used nowhere else in the code. If nothing in the switch matches the script ends.

The question is: is there a security issue because the $_GET['some_field'] isn't validated before the switch?

He says yes but isnt able to tell me why so I am asking here if you see a possible security issue with this code.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Input validation for a switch needed?

Post by kaisellgren »

The Switch basically works as a white-list validation, so, I see no problems there. Just be careful that many values equal to 1 and 0, so, your logic might fail at worst case.
alexander.watzinger
Forum Newbie
Posts: 2
Joined: Tue Nov 03, 2009 2:57 am
Location: Vienna, Austria

Re: Input validation for a switch needed?

Post by alexander.watzinger »

kaisellgren wrote:The Switch basically works as a white-list validation
Thats what I thought. Thanks for confirmation.
Post Reply