Regardless of the situation, in a web application context, the developer can never really trust the input sent from the client (such as data sent from the web-browser). Client-side validations are great for improving the user experience and reducing some load on the server. Yet, with an intercepting proxy such as Burp Suite, all the client-side validations can easily be circumvented.
Furthermore, the super global arrays such as $_GET (containing the user input sent via the URL) and $_POST (containing the data from sent via the HTTP message body) can be altered everywhere in your PHP code without any restrictions. In this tutorial, we will cover a few questions such as:
– What are the super global arrays?
– What is the different between the POST and the GET methods?
What is the context in which you should use each method and why?
– How can we fetch data from those arrays safely?
– What kind of data sanitization can be done when extracting data from those arrays?
– What kind of data validation and sanitization should not be handled in the context of the controller?
– Why certain validations should not be done in the controller context?
– Then, in which application layer should those validation be handled?
In this tutorial, I assume that you have a minimal understanding of the MVC architectural design pattern, a minimal understanding of web related technologies such as HTML5 and CSS3, and a minimal understanding of a modern C-based programming language such as C#, Java, or PHP.
All the source code provided for this tutorial can be used in any of your personal or professional projects without any fees or copyrights. Don’t hesitate to comment and share this article with your friends.
Jonathan Parent-Lévesque from Montreal