Do not call assert on unsanitized user input

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Metadata

ID: php-security/assert-user-input

Language: PHP

Severity: Error

Category: Security

CWE: 95

Description

You should not call assert on unsanitized user input. The assert function is a debugging feature in PHP that evaluates an assertion and triggers an error when the assertion is false. Using unsanitized user input as the argument for an assert function can lead to security vulnerabilities, as it could allow a malicious user to execute arbitrary code.

To adhere to this rule and maintain good coding practices, always sanitize user inputs before using them in your code. You can create a function to sanitize the input, or use built-in PHP functions such as filter_var. Additionally, it’s generally a good idea to avoid using the assert function on user input altogether, even if it has been sanitized. Instead, use other methods to validate user input, such as comparison operators or regular expressions.

Non-Compliant Code Examples

<?php
$data = $_GET['input'];
assert($data);

Compliant Code Examples

<?php
$data = $_GET['input'];
$data = sanitize_input($data);
assert($data);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: may/unit-testing