When do you trust the data / variables

Question

We all know that all user data, GET/POST/Cookie etc etc needs to be validated for security.

But when do you stop, once it's converted into a local variable?

eg

if (isValidxxx($_GET['foo']) == false) {
  throw InvalidArgumentException('Please enter a valid foo!');
}

$foo = $_GET['foo'];
fooProcessor($foo);

function fooProcessor($foo) {
  if (isValidxxx($foo) == false) {
    throw Invalid......
  }
//other stuff
}

To me thats over the top. But what if you load the value from the database...

I hope I make sense :)

Answer 1

You're overthinking this.

Validate everything that needs to be validated (i.e., all user input), once in a code path, at a point late enough where it can't be mutated by the user in the same server session.

Doesn't really matter when. Just be consistent and do whatever you need to do to keep your code readable and maintainable.

Answer 2

The key point is that external (user) input to your program cannot be trusted, and needs to be validated before use. It doesn't matter whether that input is derived from a web form, a configuration file, or a user-accessible database. A user of your code can always provide garbage values, either maliciously or by accident. But once the validation has happened, there is no point in re-validating the values - you must trust your own components.

A database under the sole control of your code can be thought of as just another component of your trusted system. The values in such a database need not be validated, unless you have reason to believe they may be corruptible due to external circumstances. For example, you may want to validate values transferred over a network.

Answer 3

Super Globals such as $_GET, $_POST, $_COOKIE, or $_SERVER CANNOT be altered by the user during the script. Once your script loads that's it. So you only need to validate them once when they come in. Doing it more than once doesn't make any sense and wastes CPU time.

Answer 4

To answer your question $_GET and $_POST should never be trusted. However, its not a vulnerability until the variable is used. If you print it out print($_GET[xss]) then you have an xss vulnerability. If you insert this variable into the database and then print it out (like a forum post), then you have stored xss which is even worse.

You need to better understand the attackers mindset. Variables like $_GET are sources of taint, function calls like print() and mysql_query() are sinks. A hacker is looking for sinks that he can influence with tainted variables. There are a lot of sinks in php and i recommend reading this black paper (or red paper whatever its certainty not white...). Make sure to read the section on language vs programmer.