"Don't forget to sanitize"?? #164
-
I note the following in the wiki: "Oh hey and don't forget to sanitize any user input!" It seems to me the library itself should be doing that, and not depend on us. What exactly am I supposed to sanitize out of a QR code? What data would be dangerous to pass in to this generator? I genuinely don't know what I'm supposed to "sanitize". I've made a little utility page on a site that allows users to generate QR codes on the fly. What could they input that would be dangerous, and what should I do about it? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
It's the same like with database input: it's not the job of the database to sanitize data, that's why higher level sanitizing functions (e.g. |
Beta Was this translation helpful? Give feedback.
-
Ah okay. So not dangerous to my site, (e.g. code insertion/execution), but somebody could make a QR code that is dangerous to whomever scans it. I was thinking you meant if I didn't sanitize somebody could use this to hack my web site. |
Beta Was this translation helpful? Give feedback.
It's the same like with database input: it's not the job of the database to sanitize data, that's why higher level sanitizing functions (e.g.
filter_var()
,mysqli_real_escape_string()
) or even whole sanitizer libraries exist.If the QR encoder would try to "sanitize" the input data it would be most likely that the reading results were broken. Sanitization is specific to the expected input data. If you want to encode an URL, make sure, that the user input is limited to URL-like strings (
FILTER_VALIDATE_URL
), if you want to encode a Spotify URI (spotify:track:59WN2psjkt1tyaxjspN8fp
), make sure that the data only containsspotify:<type>:<[a-zA-Z0-9]>
and so on. There are even people who enco…