From: "Jan G.B." on 27 Aug 2010 11:50
2010/8/25 Paul M Foster <paulf(a)quillandmouse.com>:
> On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:
>> Thanks to all who answered my quotes question. I've got another one.
>> I've got several combo boxes that are sticky, below is an example of
>> one and the function. Now i'd like to tighten it up by ensuring that
>> an external user can't inject values other than value1 or value2 in to
>> the script. This sounds like an array.
>> <select name="box1" id="box1">
>> <option value="value1" <?php set_selected('box1', 'value1'); ?>>Value1</option>
>> <option value="value2" <?php set_selected('box2', 'value2'); ?>>Value2</option>
>> function set_selected($fieldname, $value)
>> if ($_POST[$fieldname] == $value)
>> echo 'selected="selected"';
> What you've done is fine, but don't believe a user can't inject values
> here, regardless of what you've done. All they have to do is call the
> URL that's in the "action" attribute of your form tag, and give it any
> values they like.
> If you simply want to control a normal user's choices, the above will do
> it fine. If you want to prevent hacking, you'll have to sanitize the
> values once they're received from the form.
Hi Paul, hi David,
I must correct Paul here.. a malicious user might be able to send a
value which is not "value1" or "value2", but this will not have any
impact for this snippet of code.
This snipped of code just set's a checkbox to being checked when the
value is the one expected. That's fine, so far. A classic whitelist.
But make sure the other code which we don't see
- does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
without encoding the contents (f.e. htmlspecialchars), or
- does not send and user supplied data without scaping the sb-related
special chars.. (f.e. mysql_real_escape-string).
From: "Jan G.B." on 27 Aug 2010 11:53
2010/8/27 Jan G.B. <ro0ot.w00t(a)googlemail.com>:
> But make sure the other code which we don't see
> - does not outpot any _POST / _GET / _REQUEST / _COOKIE variables
> without encoding the contents (f.e. htmlspecialchars), or
> - does not send and user supplied data without scaping the sb-related
> special chars.. (f.e. mysql_real_escape-string).
Hell.. Actually I wanted to write "output", "escaping" and
"db-related". Are typo corrections accepted here?! :)