Using $_POST directly after validation against a white list

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

Using $_POST directly after validation against a white list

Post by SidewinderX »

I'm always skeptical of using requests directly, but my naive self sees nothing wrong with the following.

Code: Select all

		$actions = array("create", "edit", "_create", "update", "delete", "complete");
		
		
		if(in_array($_POST['action'], $actions))
			$this->$_POST['action']();
		else
			$this->index();
I did have a switch block with six different cases, and called the respective methods manually, but the code above reduces the code density and repetition. However, I am concerned that using $_POST directly will have a hidden security risk. Is there anything wrong with this? If so, would there be a better way, other than the aforementioned?
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: Using $_POST directly after validation against a white l

Post by JakeJ »

It depends on the data source. If it's user input, go educate yourself on sanitizing the data.
SidewinderX
Forum Contributor
Posts: 407
Joined: Fri Jul 16, 2004 9:04 pm
Location: NY

Re: Using $_POST directly after validation against a white l

Post by SidewinderX »

I am well aware of data sanitization methodologies. Perhaps I wasn't clear enough. How can unsanitized data get past my filter?
JakeJ
Forum Regular
Posts: 675
Joined: Thu Dec 10, 2009 6:27 pm

Re: Using $_POST directly after validation against a white l

Post by JakeJ »

There's always a way! 8O

But really... if you've taken the necessary precautions, there's nothing dangerous about $_POST. There's nothing about your bit of code that would pose any particular hazard.
Post Reply