Reputation: 11275
Is it Safe to use an Unfiltered $_GET Variable within the Switch Function?
How safe is it to use an unfiltered $_GET variable directly within a switch function as shown in the example below?
<?php
switch ($_GET['sort'])
{
case "price":
// Do something
break;
default:
// Do something else
break;
}
?>
Is it possible to compromise the security of my application if the $_GET variable only appears within this switch function throughout the entire PHP script?
ADD: For that matter, will an unfiltered $_GET variable cause a comparison operation to fail in a catastrophic manner?
Upvotes: 1
Views: 185
Answers (2)
Reputation: 191789
It is only unsafe to use the result of _GET or _POST, or any other data set by a user in code executed by an external program (e.g. queries and exec() calls). Echoing data received from a user is also unsafe if not encoded.
In other words what you are doing is fine.
Upvotes: 1
Reputation:
It's fine to test values from $_GET in a switch. That's validation in and of itself. The danger is when you let that value work its way into a filesystem path, or database query, or HTML block, or (shudder) eval'd code without context-appropriate sanitization.
Upvotes: 1
Related Questions
- PHP switch with GET request
- PHP Security - GET Variables, URL safe?
- Two different $_GET variables on SWITCH (PHP)
- PHP safe $_GET or not
- PHP switch statement with $_GET variables
- $_GET with Switch Statement
- Should I be Sanitizing Every $_GET and $_POST Variable Even If Used For Simple Functions?
- Using switch and $_GET
- Handle $_GET safely PHP
- Is putting $_GET in headers safe? (PHP)