Is it enought to check whether user input conforms to an expected value, before I embed it into executed code? E.g.:
$fruits = array(
"Orange",
"Banana"
);
if(isset($_GET['fruit']) && in_array($_GET['fruit'], $fruits)) {
// embed user input in HTML page:
echo $_GET['fruit'];
// embed user input in shell command:
shell_exec("script.sh $_GET['fruit']");
// query database with user input:
mysqli_stmt_bind_param($stmt, 's', $_GET['fruit']);
}
Or do I need to escape it with htmlspecialchars, escapeshellcmd etc. anyway?