How should I sanitize user data when integrating with a REST API for registration and authentication?

Question

I'm writing a Drupal module to integrate with a custom Java-based REST API for creating, authenticating, and managing user accounts. I'm using drupal_query_string_encode to encode the calls I'm making to the API.

Should I also use something like check_plain (or something else) to sanitize username, password, & email values before calling the API? I'm most concerned with getting the password handling right, since it would be difficult to change things once the code goes live and passwords are getting hashed.

Answer 1

If you are posting what the user entered to an external API, you shouldn't be sanitizing anything in Drupal, but do it in the API instead, since that is what will be storing the data etc.

Sanitizing only make sense to prevent SQL injection or to remove unwanted HTML being displayed. So you should only use check_plain to remove HTML from text input by a user before dispayed and db_query to make you SQL queries safe by using placeholders.

Answer 2

I'd agree with googletorp in that it's really up to the external API to do the sanitising in this case. I would do some basic sanity checking on the user input though to make sure all required values have been submitted. How much validation you do on them is up to you. Bear in mind that if you strongly validate the inputs before sending them to the API and the third party API rewrites the formats for the inputs they expect you could have some problems.