Re: two questions on serverside validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:

> Hello,
> Thanks to all who answered my quotes question. I've got another one.
> I've got several combo boxes that are sticky, below is an example of
> one and the function. Now i'd like to tighten it up by ensuring that
> an external user can't inject values other than value1 or value2 in to
> the script. This sounds like an array.
> 
> <select name="box1" id="box1">
> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
> </select>
> 
> function set_selected($fieldname, $value)
> {
>        if ($_POST[$fieldname] == $value)
>                echo 'selected="selected"';
> }
> 
> Thanks.
> Dave.

What you've done is fine, but don't believe a user can't inject values
here, regardless of what you've done. All they have to do is call the
URL that's in the "action" attribute of your form tag, and give it any
values they like.

If you simply want to control a normal user's choices, the above will do
it fine. If you want to prevent hacking, you'll have to sanitize the
values once they're received from the form.

Paul

-- 
Paul M. Foster

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux