Do not call assert on unsanitized user input

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Metadata

ID: php-security/assert-user-input

Language: PHP

Severity: Error

Category: Security

CWE: 95

Description

You should not call assert on unsanitized user input. The assert function is a debugging feature in PHP that evaluates an assertion and triggers an error when the assertion is false. Using unsanitized user input as the argument for an assert function can lead to security vulnerabilities, as it could allow a malicious user to execute arbitrary code.

To adhere to this rule and maintain good coding practices, always sanitize user inputs before using them in your code. You can create a function to sanitize the input, or use built-in PHP functions such as filter_var. Additionally, it’s generally a good idea to avoid using the assert function on user input altogether, even if it has been sanitized. Instead, use other methods to validate user input, such as comparison operators or regular expressions.

Non-Compliant Code Examples

<?php
$data = $_GET['input'];
assert($data);

Compliant Code Examples

<?php
$data = $_GET['input'];
$data = sanitize_input($data);
assert($data);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: may/unit-testing