bugfroggy bugfroggy - 1 month ago 16
PHP Question

PHP Escaping Before Checking if Submitted

In PHP, do I need to escape form submissions before I check if they're empty?

i.e. would something such as

empty($_POST['email'])
be vulnerable to code injection, or not?

Answer

OWASP site (https://www.owasp.org/index.php/Code_Injection) define code injection as

Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application.

PHP empty function determines if a variable is empty or not. Since it is not really executing the code, it is safe.

What you do after empty matters? For example, if you plan to use the $_POST['email'] as part of the SQL query or use it in an external shell command or using it in an HTML output, you need to escape it accordingly. Depending on the usage, there are escaping functions. For SQL injections, PHP provides mysql_real_escape_string. For shell command, escapeshellcmd and escapeshellarg. For HTML output to avoid XSS attacks, PHP htmlentities.