Reputation: 1390
Sanitize? When it doesn't output as HTML nor go into an SQL query
After looking through some sites (eg https://www.owasp.org/index.php/Main_Page) I found no EXPLICIT mention of what hazards the following process would open me up to;
A user answers a multiple choice question. Sending a form with the "answer" as a hidden field.
The .php page takes it (validates it to have less than 100 characters), then takes the Correct Answer from the database. It compares the two (using == comparison operator).
then sends
echo "Wrong! The correct answer is ".$correctAnswer; //a hack presumably will always be wrong!!!
Basically, what damage could there possibly be with letting userinput (up to 100 characters) get stuck into
$playersAnswer = $_POST['checkAnswer'];
and
if ($correctAnswer == $playersAnswer){ ....etc
The advantage for me is that I need not worry about any letters/symbols/characters in the user's answer being stripped or converted. Therefore I can use questions with full punctuation, foreign languages and even questions about javascript wwithout fear!
Upvotes: 1
Views: 128
Answers (1)
Reputation: 449783
If all you do is use the POST variable in a comparison:
$correctAnswer == $playersAnswer
there is no danger to this.
The danger begins where you use the variable - in HTML output, in a database query, in an exec() or eval() command.....
Upvotes: 3
Related Questions
- PHP Sanitize Data
- Sanitizing HTML input
- Php safe output
- Sanitize user input if input has html
- Sanitize HTML in SQL query with PHP function
- Sanitizing both HTML and SQL at once?
- How to sanitize data in php in order to avoid SQL injection?
- PHP HTML sanitizer
- Best way to sanitize content with PHP?
- How do you sanitize your data?