PHP Injection from HTTP GET data used as PHP array key value

i would like to know if there is a possible injection of code (or any other security risk like reading memory blocks that you weren't supposed to etc...) in the following scenario, where unsanitized data from HTTP GET is used in code of PHP as KEY of array.

This supposed to transform letters to their order in alphabet. a to 1, b to 2, c to 3 .... HTTP 开发者_C百科GET "letter" variable supposed to have values letters, but as you can understand anything can be send to server:

HTML:

http://www.example.com/index.php?letter=[anything in here, as dirty it can gets]

PHP:

$dirty_data = $_GET['letter'];

echo "Your letter's order in alphabet is:".Letter2Number($dirty_data);

function Letter2Number($my_array_key)
{
    $alphabet = array("a" => "1", "b" => "2", "c" => "3");

    // And now we will eventually use HTTP GET unsanitized data
    // as a KEY for a PHP array... Yikes!

    return $alphabet[$my_array_key]; 

}

Questions:

1. Do you see any security risks?
2. How can i sanitize HTTP data to be able use them in code as KEY of an array?
3. How bad is this practice?

I can't see any problems with this practice. Anything you... errr... get from $_GET is a string. It will not pose any security threat whatsoever unless you call eval() on it. Any string can be used as a PHP array key, and it will have no adverse effects whatsoever (although if you use a really long string, obviously this will impact memory usage).

It's not like SQL, where you are building code to be executed later - your PHP code has already been built and is executing, and the only way you can modify the way in which it executes at runtime is by calling eval() or include()/require().

EDIT

Thinking about it there are a couple of other ways, apart from eval() and include(), that this input could affect the operation of the script, and that is to use the supplied string to dynamically call a function/method, instantiate an object, or in variable variables/properties. So for example:

$userdata = $_GET['userdata'];

$userdata();
// ...or...
$obj->$userdata();
// ...or...
$obj = new $userdata();
// ...or...
$someval = ${'a_var_called_'.$userdata};
// ...or...
$someval = $obj->$userdata;

...would be a very bad idea, if you were to do it with sanitizing $userdata first.

However, for what you are doing, you do not need to worry about it.

Any external received from GET, POST, FILE, etc. should be treated as filthy and sanitized appropriately. How and when you sanitize depends on when the data is going to be used. If you are going to store it to the DB, it needs to be escaped (to avoid SQL Injection. See PDO for example). Escaping is also necessary when running an OS command based on user data such as eval or attempting to read a file (like reading ../../../etc/passwd). If it's going to be displayed back to the user, it needs to be encoded (to avoid html injection. See htmlspecialchars for example).

You don't have to sanitize data for the way you are using it above. In fact, you should only escape for storage and encode for display, but otherwise leave data raw. Of course, you may want to perform your own validation on the data. For example, you may want dirty_data to be in the list of [a, b, c] and if not echo it back to the user. Then you would have to encode it.

Any well-known OS is not going to have a problem even if the user managed to attempt to read an invalid memory address.

1. Presumably this array's contents are meant to be publicly accessible in this way, so no.
2. Run it through array_key_exists()
3. Probably at least a little bad. Maybe there's something that could be done with a malformed multibyte string or something that could trigger some kind of overflow on a poorly-configured server... but that's pure (ignorant) speculation on my part.