Section
4.2.3
Top Level
Sub Level
General
Validate all input and output at major system boundaries, such as between application and database, application and external service, etc.
PHP
In addition to $_GET
and $_POST
, treat $_SERVER
and $_COOKIE
arrays and remote file contents as tainted data.
For critical applications $_SESSION
may also be classed as tainted data.
Never use the $_REQUEST
super-global array. It can conflate GET
and POST
data.
Turn register_globals
off. It can create problems with pre-populated variables.