Do not call assert on unsanitized user input

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Metadata

ID: php-security/assert-user-input

Language: PHP

Severity: Error

Category: Security

CWE: 95

Description

You should not call assert on unsanitized user input. The assert function is a debugging feature in PHP that evaluates an assertion and triggers an error when the assertion is false. Using unsanitized user input as the argument for an assert function can lead to security vulnerabilities, as it could allow a malicious user to execute arbitrary code.

To adhere to this rule and maintain good coding practices, always sanitize user inputs before using them in your code. You can create a function to sanitize the input, or use built-in PHP functions such as filter_var. Additionally, it’s generally a good idea to avoid using the assert function on user input altogether, even if it has been sanitized. Instead, use other methods to validate user input, such as comparison operators or regular expressions.

Non-Compliant Code Examples

<?php
$data = $_GET['input'];
assert($data);

Compliant Code Examples

<?php
$data = $_GET['input'];
$data = sanitize_input($data);
assert($data);
https://static.datadoghq.com/static/images/logos/github_avatar.svg https://static.datadoghq.com/static/images/logos/vscode_avatar.svg jetbrains

Seamless integrations. Try Datadog Code Analysis

PREVIEWING: rtrieu/product-analytics-ui-changes