Prev: strtotime()
Next: Odd crash.
From: "Jan G.B." on 27 Aug 2010 11:50 2010/8/25 Paul M Foster <paulf(a)quillandmouse.com>: > On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote: > >> Hello, >> Thanks to all who answered my quotes question. I've got another one. >> I've got several combo boxes that are sticky, below is an example of >> one and the function. Now i'd like to tighten it up by ensuring that >> an external user can't inject values other than value1 or value2 in to >> the script. This sounds like an array. >> >> <select name="box1" id="box1"> >> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option> >> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option> >> </select> >> >> function set_selected($fieldname, $value) >> { >> if ($_POST[$fieldname] == $value) >> echo 'selected="selected"'; >> } >> >> Thanks. >> Dave. > > What you've done is fine, but don't believe a user can't inject values > here, regardless of what you've done. All they have to do is call the > URL that's in the "action" attribute of your form tag, and give it any > values they like. > > If you simply want to control a normal user's choices, the above will do > it fine. If you want to prevent hacking, you'll have to sanitize the > values once they're received from the form. > > Paul > > Hi Paul, hi David, I must correct Paul here.. a malicious user might be able to send a value which is not "value1" or "value2", but this will not have any impact for this snippet of code. This snipped of code just set's a checkbox to being checked when the value is the one expected. That's fine, so far. A classic whitelist. But make sure the other code which we don't see - does not outpot any _POST / _GET / _REQUEST / _COOKIE variables without encoding the contents (f.e. htmlspecialchars), or - does not send and user supplied data without scaping the sb-related special chars.. (f.e. mysql_real_escape-string). Regards, Jan
From: "Jan G.B." on 27 Aug 2010 11:53
2010/8/27 Jan G.B. <ro0ot.w00t(a)googlemail.com>: > But make sure the other code which we don't see > - does not outpot any _POST / _GET / _REQUEST / _COOKIE variables > without encoding the contents (f.e. htmlspecialchars), or > - does not send and user supplied data without scaping the sb-related > special chars.. (f.e. mysql_real_escape-string). > Hell.. Actually I wanted to write "output", "escaping" and "db-related". Are typo corrections accepted here?! :) |