Does an "If" statement need to be sanitized?

Square1

Hi All:

Should something like:

if ($_POST["whatever"] == "Y"){
echo "HELLO"
}

need to be

if (htmlentities($_POST["whatever"]) == "Y"){
echo "HELLO"
}

Weedpacket

You use [man]htmlentities[/man] on a string if you're preparing it to be displayed in an HTML document and you don't want it to be interpreted as HTML. Are you doing that here?

Square1

In this simple example, $_POST["whatever"] would not be displayed so as I understand it, sanitizing it for XSS is unnecessary.

On the other hand, then the following would be correct...

if ($_POST["whatever"] == "Y"){
echo htmlentities($_POST["ToBeDisplayed"])); 
}

Thanks

Square1

Better yet, would "if it is not seen in the source code it does not need htmlentities" a correct rule of thumb?

So the following htmlentities is not necessary:

header('Location: http://www.mysite.com?test='.htmlentities(($_POST["whatever"])));

Weedpacket

Square1 wrote:
would "if it is not seen in the source code it does not need htmlentities" a correct rule of thumb?

A correct rule of thumb would be: "it needs htmlentities if you're preparing it to be displayed in an HTML document and you don't want it to be interpreted as HTML".

Square1 wrote:
So the following htmlentities is not necessary:

No, but [man]urlencode[/man] is.

Ashley_Sheridan

Basically, in your first example it doesn't need escaping like that. In-fact, I do that all the time with switch statements. You only need to escape the data when it's being used for something outside of the PHP. So, if you're outputting user data to a browser, use something like htmlentities(). If you're sending it to the DB, then use mysql_real_escape_string() or similar. If you're passing it to the shell, then something like escapeshellarg() will do the trick. It's all about the context in which you're using the data.

Square1

Thank you all.

I've read where querystrings can be maliciously changed. Does urlencode negate that?

Ashley_Sheridan

Query strings come from the user, and anything that the user sends can be tampered with. There's not really a thing you can do about that except sanitise the data and treat everything that comes from the user as tainted.