2010/8/25 Paul M Foster <paulf@xxxxxxxxxxxxxxxxx>:
> On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:
>
>> Hello,
>> Thanks to all who answered my quotes question. I've got another one.
>> I've got several combo boxes that are sticky, below is an example of
>> one and the function. Now i'd like to tighten it up by ensuring that
>> an external user can't inject values other than value1 or value2 in to
>> the script. This sounds like an array.
>>
>> <select name="box1" id="box1">
>> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
>> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
>> </select>
>>
>> function set_selected($fieldname, $value)
>> {
>> if ($_POST[$fieldname] == $value)
>> echo 'selected="selected"';
>> }
>>
>> Thanks.
>> Dave.
>
> What you've done is fine, but don't believe a user can't inject values
> here, regardless of what you've done. All they have to do is call the
> URL that's in the "action" attribute of your form tag, and give it any
> values they like.
>
> If you simply want to control a normal user's choices, the above will do
> it fine. If you want to prevent hacking, you'll have to sanitize the
> values once they're received from the form.
>
> Paul
>
>
Hi Paul, hi David,
I must correct Paul here.. a malicious user might be able to send a
value which is not "value1" or "value2", but this will not have any
impact for this snippet of code.
This snipped of code just set's a checkbox to being checked when the
value is the one expected. That's fine, so far. A classic whitelist.
But make sure the other code which we don't see
- does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
without encoding the contents (f.e. htmlspecialchars), or
- does not send and user supplied data without scaping the sb-related
special chars.. (f.e. mysql_real_escape-string).
Regards,
Jan
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
