Page 1 of 1

Input validation for a switch needed?

Posted: Tue Nov 03, 2009 3:20 am
by alexander.watzinger
I have gotten into an endless argument with a friend about a theoretical security issue and input validation.

If you have a code like this:

Code: Select all

<?php
  $some_value = $_GET['some_field'];
 
  switch($some_value) {
    case 1:
      // do something
      break;
 
    case 2:
      // do something else
      break;
  }
 
  exit;
?>
The $some_value is used nowhere else in the code. If nothing in the switch matches the script ends.

The question is: is there a security issue because the $_GET['some_field'] isn't validated before the switch?

He says yes but isnt able to tell me why so I am asking here if you see a possible security issue with this code.

Re: Input validation for a switch needed?

Posted: Tue Nov 03, 2009 4:44 am
by kaisellgren
The Switch basically works as a white-list validation, so, I see no problems there. Just be careful that many values equal to 1 and 0, so, your logic might fail at worst case.

Re: Input validation for a switch needed?

Posted: Wed Nov 04, 2009 6:56 am
by alexander.watzinger
kaisellgren wrote:The Switch basically works as a white-list validation
Thats what I thought. Thanks for confirmation.