Does it make any sense to validate the actual names of $_GET and $_POST variables to make sure that only allowed variables are entered?
For example, let's say a php script seeing form thread expects a string like this:
index.php?threadid=5&orderby=lastpost&sort=asc
Does it add any more security to validate that only 'threadid', 'orderby' and 'sort' can be used as variable names?
For example is someone adds the &dostuff=true to the string there will be some type of error Just want to know if this will help making a script more secure in any way.
Thanks
As long as you do not have register_globals activated I don't see any value in validating the field names. You typically know beforehand which variables you need and will validate their value accordingly.
With register_globals on (which is highly discouraged) variables from a request could hide your own uninitialized variables. More on this here: http://www.php.net/manual/en/security.globals.php
As long as register_globals is not enabled, there is no risk to continuing your script execution if unwanted keys exist in $_GET/$_POST.
If a script is available on the internet, then it can be called by anyone and can be passed any variables that person decides to use. Just because you have a nice system setup where only a couple variables are used, hackers will try submitting many common variable names (via GET and POST) to see if they can crack in.
In short, ANYTIME you need to get the value of a GET or POST variable, you need to filter and/or sanitize it. PHP has a library for this (PHP5+, but PHP4 support stopped in 2007, so its not good to use). There are other libraries out there in various frameworks, if you need more advanced functionality, such as Zend Framework Zend_Filter.
http://www.w3schools.com/php/php_ref_filter.asp
http://www.php.net/manual/en/book.filter.php
Here are some ways you can use it. The list above will show all of the flags to use.
Getting a POST variable, validating it
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
Getting a POST variable, sanitizing it
$url = filter_input(INPUT_POST, 'url', FILTER_SANITIZE_URL);
You can create your own filtering function if you really need to.
As far as cautiosness goes: good idea. But I also think there is not a big deal of practical value in it.
Since typical applications ignore unknown parameters anyway, there is no security risk I believe. Yet actually I've considered creating log entries at least whenever array_intersect_assoc($_GET, $_POST) occurs. (Parameters should be present in one only, else it's a bit of an ambigious request. Yet for another application I did exactly that for reliability reasons.)
Counter-point: CodeIgniter and/or Kohana do exactly what you suggested. They use predefined filter lists, and won't let you access unconfigured input variables. So obviously a common idea.
It will have no effect at all unless you're ever iterating over the contents of one of $_GET, $_POST et al. Most of the time, you use static keys with these variables, i.e. $_GET['orderby'] instead of $_GET[$orderByKey].
But then, even if you ever were to iterate over the values, correct handling of these values is preferable. For example, if you're outputting them in an HTML document, escape the data with htmlspecialchars, or use them as values in a prepared transaction (and not directly in the query string you construct) for database access.