Page 1 of 1

Using $_POST directly after validation against a white list

Posted: Sat Aug 07, 2010 11:28 pm
by SidewinderX
I'm always skeptical of using requests directly, but my naive self sees nothing wrong with the following.

Code: Select all

		$actions = array("create", "edit", "_create", "update", "delete", "complete");
		
		
		if(in_array($_POST['action'], $actions))
			$this->$_POST['action']();
		else
			$this->index();
I did have a switch block with six different cases, and called the respective methods manually, but the code above reduces the code density and repetition. However, I am concerned that using $_POST directly will have a hidden security risk. Is there anything wrong with this? If so, would there be a better way, other than the aforementioned?

Re: Using $_POST directly after validation against a white l

Posted: Sun Aug 08, 2010 12:01 am
by JakeJ
It depends on the data source. If it's user input, go educate yourself on sanitizing the data.

Re: Using $_POST directly after validation against a white l

Posted: Sun Aug 08, 2010 12:13 am
by SidewinderX
I am well aware of data sanitization methodologies. Perhaps I wasn't clear enough. How can unsanitized data get past my filter?

Re: Using $_POST directly after validation against a white l

Posted: Sun Aug 08, 2010 12:32 am
by JakeJ
There's always a way! 8O

But really... if you've taken the necessary precautions, there's nothing dangerous about $_POST. There's nothing about your bit of code that would pose any particular hazard.