Nate Nate -4 years ago 87
PHP Question

How do you signify that a variable is "unsanitized" in php?

I've written some basic websites and applications in php, but I've never really adapted any strict naming standard before, aside from how I name variables in which data from a MySQL database is stored, in which case I name it exactly the same as the column name (usually like a_column_name).

I know that it's really important to distinguish between "unclean" and "clean" variables, so that I don't accidentally end up allowing SQL injection or XSS to happen, but I'm unsure of what naming convention I should use.

Any advice?

Answer Source

I don't think that this is the right approach.

For one, a variable can be encoded in various ways, say for sql, urls, html,... You should also encode as close to the consumption as possible. i.e. html encode before outputting, sql escape before passing to mysql...

And of course in the case of sql, you should prefer prepared statements over building string queries.

So if you insist on a naming convention, you should base it on what escaping/encoding you applied to the content of that variable, and not what you didn't sanitize.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download