How necessary is using PHP filters?

Question

I'm a relative newbie to PHP and just making my way through the W3Schools tut.

The tut makes a big point of saying you must always filter external data (i.e. cookies, form data etc).

I'm writing a fairly simple system that talks with a third party Joomla extension. It's at a prototype stage where I'm just wanting to demonstrate the functionality in a minimum viable product.

Basically, I'd like to know... what's the worst that could happen in I don't filter content. Are we talking 'I might get a bunch of spam', or 'a good hacker could get root server access'?

Have hunted around online, but would love any of your experience / insight on the matter!

Answer 1

A good hacker could theoretically get root access. If you don't filter content that goes into database queries, the database will run whatever was put into the query. In that case, the hacker might be able to download a database full of usernames and passwords. Which you certainly don't want. Especially if your root passwords are in there because you've used the same password twice. Or they might just delete your database altogether. I've read reports of that happening.

Answer 2

If you don't filter the input data, your site will probably be prone to an SQL injection attack. Check this site. It contains a humorous comic, quite famous too. It depicts the problem of SQL injection quite clearly :).