> Date: Wednesday, May 25, 2016 13:14:26 -0700 > From: Jeffry Killen <jekillen@xxxxxxxxxxx> > > > On May 25, 2016, at 10:15 AM, Jason Pruim wrote: > >> Hey Everyone, >> >> I have a form that I'm working on, and I'm adding some check boxes >> to it, >> the check boxes display properly, and work as expected except... >> When I >> submit the form, it shows that it's in $_POST['chkCom'] for >> instance, but >> if i try and do a simple: >> >> $chkCom = $_POST['chkCom']; >> >> so I can work on some validation it won't work... Nothing is ever >> assigned >> to it... Even though >> >> <?PHP var_dump($_POST['chkCom']); ?> >> >> shows the proper value... All I'm looking at doing is running like >> HTMLentities on the check box and verifying if it was checked... >> >> I guess the biggest question comes down to do I need to worry about >> sanitizing checkbox input? On this form it's just getting emailed >> into another web based system that I'm not in control of (Online >> helpdesk system). > > Is chkCom the name of a checkbox set? Or, is it of a single checkbox > in a set? If it is a single checkbox in a set then the set name > will have the selected value. Other wise, from my experience with > my own stumblings you have a syntax error or a variable miss > spelling somewhere. > > Forms can be forged: Values can be altered. Checkboxes can be > altered. > Yes, I would sanitize everything comming from a form. > > JK > When reading/sanitizing input it's important to remember that while you may expect the input to come via some form you control there is nothing that requires that. A user can save your form, change it, and submit. Or, someone can simply fire hose straight into the script on your server. [This makes things like js-based client-side validation particularly amusing.] Basically you have to assume that any input you are reading can contain anything -- regardless of your initial intent -- so you need to sanitize accordingly. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
