Securing $_post and $_get data before use

I have this question regarding security of posted data to my app. I have a code where I catch all the $_POST and $_GET data from client and put them into object's array. This object is then passed to functions where I need to access certain type of data (GETS, POSTS, SESSIONS, some configs, etc ...).

I catch all the posts and gets with this part of the code:

foreach ($_GET as $key => $value)   // STORE $_GET VALUES
        {
            $this->_get[$key] = $value;
        }

        foreach ($_POST as $key => $value)  // STORE $_POST VALUES
        {
            $this->_post[$key]  = $value;
        }

        foreach ($_SESSION as $key => $value)   // STORE $_SESSION VALUES
        {
            $this->_session[$key] = $value;
        }

        $this->_config = $config;

        unset($config); // CLEAR $CONFIG VALUES 

        unset($_GET, $_POST /*, $_SESSION */ ); // CLEAR $_GET, $_POST FOR SECURITY ISSUES

At the end of that app file, I then reverse $this->_session back to $_SESSION, like this:

foreach ($in->_session as $key => $value)   // STORE $_SESSION VALUES
    {
        $_SESSION[$key] = $value;
    }

How can I escape or do something else with GETS and POSTS so they can be "safely" used across application. Sometimes I am using this gets to access database, or write data to database, but I am not sure if its safe.

Any suggestion?

Answers


You will want to escape the values before you store them in your object, I am not sure why you want to unset the original variables, but in case you do that I would recommend to store their original values in other obj for debugging purposes

foreach ($_GET as $key => $value)   // STORE $_GET VALUES
        {
            $this->_get[$key] = $this->escape($value);
        }

...

private function escape($value){
// ... here you will have to escape the xss or sql injections
 return $escapedValue;

}

here is nice to read artical about security

PHP Security Cheat Sheet


I recommend you filter and sanitize your values from $_POST and $_GET before storing them as objects

check out the documentation and sanitize filters


Need Your Help

CurrentThread.CurrentCulture showing wrong information

c# asp.net

When I launch my website, my belgian customer get de currentculture of Netherlands.