I need to sanitize data that is coming from an $_GET variable, but I'm not sure which one to use from the list
FILTER_SANITIZE_ENCODED
FILTER_SANITIZE_STRING
FILTER_SANITIZE_URL
This is my case:
I'm building a request handler class which should return variables from $_GET and $_POST. This values will be used in other classes
Here is what I have done so far (Still rough draft)
class RequestHandler
{
protected $getRequest;
protected $postRequest;
protected $cookieRequest;
protected $sessionRequest;
public function __construct($getRequest = null, $postRequest = null, $cookieRequest = null, $sessionRequest = null)
{
if ($getRequest)
$this->setGetRequest($getRequest);
if ($postRequest)
$this->setPostRequest($postRequest);
if ($cookieRequest)
$this->setCookieRequest($cookieRequest);
if ($sessionRequest)
$this->setSessionRequest($sessionRequest);
}
public function setGetRequest($getRequest)
{
$this->getRequest = $getRequest;
return $this;
}
public function setPostRequest($postRequest)
{
$this->postRequest = $postRequest;
return $this;
}
public function setCookieRequest($cookieRequest)
{
$this->cookieRequest = $cookieRequest;
return $this;
}
public function setSessionRequest($sessionRequest)
{
$this->sessionRequest = $sessionRequest;
return $this;
}
public function getGetRequest()
{
return $this->getRequest;
}
public function getPostRequest()
{
return $this->postRequest;
}
public function getCookieRequest()
{
return $this->cookieRequest;
}
public function getSessionRequest()
{
return $this->sessionRequest;
}
}
I can then use the class like
$a = new RequestHandler($_GET, $_POST, $_COOKIE, $_SESSION);
Where should I do this sanitation, in my setter or in my constructor
You're writing a generic class to get data from an HTTP request.
There is no sane way to sanitise it.
To make data safe you need to consider two things (and you can't know either of them when writing a generic class for pulling data from an HTTP request):
Is the data supposed to be someone's date of birth? Then you need to check that it is a valid date.
Is the data supposed to be someone's address? Then you need to be very careful about what you think is allowed.
Is the data supposed to be raw HTML? If you plan on putting it in an HTML document then you have all sorts of risk and you need to think about how much you trust the person sending the data and/or using something like HTML Purifier to limit which tags and attributes can be used.
Is the data supposed to be plain text? Well, it might include characters like < and ' which have special meaning in various places (HTML and SQL for example) and they might be used entirely legitimately in the context of whatever the text is talking about. You can't filter them out entirely without breaking what people are trying to say.
Most of the time, you will want to either:
Usually, you make data safe by escaping it. How you escape it depends on where you put it.
With SQL, you would generally use a prepared statement with placeholders. With XML, you would generally use a DOM library. With HTML you would usually use htmlspecialchars(). And so on.
In short: