Ask a Question Register Login

php - SOAP query variable, to escape or not to escape?

461

I'm building a bridge script in PHP to connect through SOAP to a local web services framework. This script is the only public access to the web services, and it takes values via GET, composes the query, sends it to the web services and returns the result via JSON. The variables the script takes should all be strings. (Any arrays get converted into strings).

My question is, since the only public access to the web services is through this script, is grabbing the parameters via $_GET['...'] and outputting them directly into the SOAP format for querying the safest method? Should I be performing some kind of escape on the GET values to compliment the SOAP native escaping?

(I'm outlining the process below for clarity. The ** is where the question applies.)

  1. HTTP GET to script
  2. script stores GET value into variable **
  3. compose variable into format for SOAP query
  4. send composed query to SOAP server
  5. receive response from SOAP server
  6. output response as JSON

Thanks!

54

Answer

Solution:

It's really hard to understand from your question what you would want to escape, but let's walk through it.

Typically, you want to Filter-In, Escape-Out. What that means, is when you accept input from anywhere outside your application, you want to filter it.

But what does filter mean?

It means ensure that it's valid. If you're expecting an alpha-numeric user-name, and someone passes in one with symbols, reject it. That's filtering...

Then, when you go to output data, you want to escape it specifically for the context you're outputting.

So if you're writing it in an HTML body, you'd use something likehtml_special_chars. If you're sending to a database, you'd either use a prepared statement or escape it using a db-specific escaping algorithm.

So where does that leave us in your situation?

Well, you're sending it to a library for a SOAP request. That library should handle escaping for the SOAP request.

And considering you don't know what the remote service is going to do with it (contextually), escaping it is the job of the remote application.

So no, you shouldn't be doing any escaping.

But be sure to filter the input to make sure it is valid in the domain you're expecting...

People are also looking for solutions to the problem: MySQL with PHP error

Source

Didn't find the answer?

Our community is visited by hundreds of web development professionals every day. Ask your question and get a quick answer for free.

Ask a Question

Write quick answer

Do you know the answer to this question? Write a quick response to it. With your help, we will make our community stronger.

Similar questions

Find the answer in similar questions on our website.