We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security.
But when do you stop, once it's converted into a local variable?
eg
if (isValidxxx($_GET['foo']) == false) {
throw InvalidArgumentException('Please enter a valid foo!');
}
$foo = $_GET['foo'];
fooProcessor($foo);
function fooProcessor($foo) {
if (isValidxxx($foo) == false) {
throw Invalid......
}
//other stuff
}
To me thats over the top. But what if you load the value from the database...
I hope I make sense :)