There is an error of understanding in your question when affirming:
When information is sent from a form, it is validated for greater security with $_SERVER['REQUEST_METHOD'] == 'POST' . But what if
the parameter that is sent is not in a form and is in a
table?
If it's about security at the database level , getting the data with GET, POST, REQUEST, etc. does not add anything to security.
How? And why do you say that?
For a very simple reason, to consult the database you have to apply security to another level: in the way you pass that data for queries . In the past, the myth that cleaning up data with certain functions that had the pretense of being magical was an effective technique became popular. The experience proved the opposite, in fact, in the network (especially in the English counterpart of this site) there are real proofs that, even sanitizing data can get you an SQL injection.
The most effective solution to protect you in this case is very simple:
- (a) Get the data (by POST, by GET, by REQUEST or as you want in a variable). Some think that this is risky. It has none, because that variable will not be printed in the document, it will only be used to consult the database.
- (b) Pass the data obtained in (a) to the database in a secure manner, by using prepared queries. This is the quid of the question. It is useless to clean and refresh a data if you then pass it directly to the database.
In practice, the steps (a) and (b) mentioned would look like this:
/*
*Aquí usamos un operador ternario para comprobar
*que el dato está en el GET. Puedes usar la técnica que quieras
*/
$valor = ( empty ($_GET['valor'] ) ? NULL : $_GET['valor'];
if ($valor){
$sql="SELECT columna FROM tabla WHERE columna=?";
/*
*1. Preparar $sql
*2. Pasar por un método adecuado el dato obtenido en $valor
* Es ese método el que se va a encargar de neutralizar la inyección
* Dado que $valor no saldrá de ese ámbito, no hay ningún riesgo
* en como se obtenga
*3. Ejecutar la consulta
*4. Obtener los datos si fuera preciso
*/
}else{
echo "No se pasaron datos en el GET";
}
The code above is safe. But let's say that you go to your variable $valor for all possible cleaning centers, leave it to soak three or four days, then wash it, rinse it, wash it again ... That is, apply all the functions of sanitization and to have and then apply it three or four more cleaning functions that you have invented or that you have found on the network.
And after all that you commit the stupidity (with all respect) of doing something like this:
$sql="SELECT columna FROM tabla WHERE columna=$valor"; //El riesgo REAL es pasar $valor directamente
$stmt=$con->query($sql);
All the cleaning process you did before may work for you, or maybe not, because as I said, there is evidence that you can do an SQL injection without using any character whatsoever of the existing sanitization functions .