My question is about sanitization. Do I need to sanitize the javascript in the following situation?
I'm sending a javascript array as Json to php via ajax. The array will be manipulated in php then some of the data will be posted to mysql. Please note that at no time does the user write values themselves. The array is created based on the buttons the user clicks.
On further reading
Based on Sanitize (radio buttons, checkboxes and <option>) I'm assuming that I need to sanitize the javascript. If this is correct, what sanitization would you recommend I do?
The array I'm using is a multidimensional array like Array[5][3]=2. It should only contains number values.
There is only one simple rule you need to know about sanitization:
So, following this rule means that it does not matter whether you sanitize the input on the client or not. You still need to sanitize it on the server.
To dive deeper into your specific case, trusting JavaScript alone to do the job is not enough as some people may not have JavaScript enabled. Or, somebody with a malicious intent could make those HTTP calls from outside the browser environment skipping JavaScript altogether.
Don't think of it is 'sanitizing JavaScript' you have to always be aware of ALL input or values that you use in a SQL query, or output directly to the screen.
IT should be quarantined, not sanitized, however you can get fairly close to 'safe' by sanitizing and checking max length, etc.
Keep in mind most attacks don't come as simple "DROP FROM BLAH WHERE BLAH BLAH" they are complex attacks utilizing specific vectors for say Microsoft SQL Server or MYSQL versions, etc;
It might be hex/ASCII or it might be Cyrillic alphabet, you never know.