Quote:
|
Originally Posted by Hunch
Ok, since you disagree, answer me a question:
I have a form which asks you to enter your name. It does nothing more than chuck your name into a database using a (mysqli/prepared statement), so that next time you come to the site, it can check for a cookie and greet you personally "Welcome back Hobolooter" style.
What needs to be validated by PHP?
Note: checking whether or not it's a valid name isn't an answer, because the discussion is about looking at this from a security perspective. I might decide I want to be called |-|µ|\|(|-| - is that a problem?
|
Prepared statements are touted as being more secure than using a normal query, because you cannot alter them and anything put in will be executed as such. You are correct in saying that that particular form input would not need validation. However, I'm paranoid and do not trust PHP and its plethora of security holes. Null characters, double encoding, etc. all scare me and lead me to believe something malicious is about to happen.
Besides you must agree that it is atleast good practice to validate, even when not necessary. If you have a field called name and someone enters in numbers or a phone number and someone enters in letters, its good to have validation in the backend as well.