Never trust data received from users, forms or requests. Always validate the expected format (e.g., numbers, emails) and sanitize/remove unexpected characters or content using appropriate techniques (filter_var, filter_input, etc.).
Unvalidated input may contain malicious commands or malformed content, leading to security issues like SQL injection and XSS. Validation and sanitization ensure your application only handles data in expected formats, reducing risks and errors.
Side-by-side examples engineers can pattern-match during review.
<?php
$age = $_GET['idade'];
if (\$age > 18) {
// proceed
}
?><?php
$age = filter_input(INPUT_GET, 'idade', FILTER_VALIDATE_INT);
if (\$age === false) {
// handle invalid input
} elseif (\$age > 18) {
// proceed
}
?><?php
$age = $_GET['idade'];
if (\$age > 18) {
// proceed
}
?><?php
$age = filter_input(INPUT_GET, 'idade', FILTER_VALIDATE_INT);
if (\$age === false) {
// handle invalid input
} elseif (\$age > 18) {
// proceed
}
?>From the same buckets as this rule.