$_POST form validation/security 2

[andrewgibbs]

Hi Everyone,

Im pretty new to PHP, and Im currently working on an academic project that uses PHP to implement security - my main query is WHY does POST array data need to be validated for SECURITY purposes - I can understand for CONVENIENCE issues, but not really SECURITY - I would appreciate any comments - the more specific the better
thanks
Andrew

 

[hos2]

you can also pass scripts with the submitted data. one example was on my forum where I had a strip for html tags but javascript passed somehow. someone can post a javascript which opens as soon as you load a topic as an example. or execute sql statements or command line commands

 

[herman75]

Depending on what you do with/how you use your variables people can indeed do nasty things like SQL injection and javascript stuff. Plus they can cause errors and then they can use the information displayed by the error to try and hack your server.
So unless you can trust everyone who might have access to your page (I doubt you ever can) you must always validate passed variables to make sure they contain what you expect them to contain.