47
PHP seCurIty AntI-PAtterns
Validation by Type Process
A Complete Validation by Type
//remove possibility of vague and unintended processing
unset($_REQUEST);
//remove GET this script processes POST only
unset($_GET);
if(ctype_alnum($_POST['userName']))
{
$userName = $_POST['userName'];
$passHash = hash('sha256', $_POST['password']);
$pageID = intval($_POST['pageID']);
$email = filter_var($_POST['email'], FILTER_SANITIZE_EMAIL));
//immediately delete clear text password
unset($_POST['password']);
//remove possibility of future access to raw data
unset($_POST);
}
else
exit();
//update database with unescaped, unquoted variables
pdo->query('INSERT INTO users (userName, passHash, pageID)'
VALUES ($userName, $passHash, $pageID));
//update database ...