I'm aware of how to protect against SQL injections & stuff & validating user input... but was wondering if you are taking data from a user input field & the data is a string how safe is this data to use inside your code for stuff like:

if ($i == $_POST['userinput']) {
    ....
}

The above is just an example at trying to get across my question at asking what steps you need to take & in what circumstances.

Obviously it wouldn't work in the above instance, but just trying to prevent people doing something like an include('whatever.php'); etc..

Thanks!

Accepted Answer

Making a comparison against a variable, like you show, is not dangerous in itself, so there's nothing to worry about there.

User input becomes potentially dangerous when used, in an include statement, in a database query, in a file name, in an eval() call, in a HTML page, etc. every one of those uses has one correct sanitation method.

Written by Pekka
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki