Lately I see more errors in logs regarding get/post parameters on a nginx/php hosted website. I have some basic checks(sanitization) in place but I think I haven't done enough.
Some of my checks have revealed attempts on an "id" parameter:
Parameter ID was not a number! Parameter was: function id() {
var s = '';
while (s.length < 32) {
s = Math.random().toString(36).replace(/[^A-Za-z]/g, '');
}
return s;
}" while reading response header from upstream, client: ...
So basically I was expecting a number and got a very interesting string. I don't even know what they were trying to achieve with that code, it seems to be javascript and my server is php.
I was thinking of checking even string parameters by a regex.
What kind of checks do you recommend for get/post parameters on a php website?