How to protect against a malicious entry through a select dropdown?

0

I have form with some options of select , example:

<select id="sel1" name="sel1">
    <option disabled selected style="display: none">Titulo</option>
    <option value="op1">op1</option>
    <option value="op2">op2</option>
    <option value="op3">op3</option>
</select>

My question is, if treating this entry with mysqli_real_escape_string is enough, for example:

$sel1 =  mysqli_real_escape_string($con, $_POST['sel1']);

Or do I need some more care, if so what would be the points that should be taken care of?

    
asked by anonymous 22.02.2017 / 14:38

2 answers

1

I would say that the basic rule for any information sent by the user is to "never trust the information sent by the client"

I have to say that I do not work with PHP, but this goes for any language, while using mysqli_real_escape_string or equivalents in other languages gives you the security (if used correctly) that it will not have SQL Injection problem it does not ensures that the information the user has submitted is correct.

You should always validate all information that the user submits, in the case of a Dropdown you should be sure that the user could have chosen the value that was sent, and generally you should do two validations, one per javascript, it actually it is not necessary but it helps to avoid incorrect posts from legitimate users, and the other, it is mandatory, is on the server, because only there you can be sure that the data is correct.

    
22.02.2017 / 17:30
1

One of the possible ways to validate would be to use the in_array function of PHP to do this check.

if (! in_array($_POST['valor'], ['opt1', 'opt2', 'opt3']) {
   // inválido
}

Because someone could edit the value of your select , that person could easily enter an unknown value there in your database table.

See:

Inthisexampleabove,Icouldsimplychangethevalueonthefrontendandsubmitasubmission.

Inaddition,therearetoolsthatallowyoutosubmitaform,regardlessofitsdefinition,suchastheGoogleChromeplugin.WithititispossibletosendrequeststoacertainURL,beingabletobepassedthevaluethatyouwant.So,knowingtheURL,IcansendwhateverIwanttoyourserver.

ThisiswhyIstronglyrecommendthatthevalidationbealwaysdoneontheserver,sinceitsstructureforsendingthedatabytheclientside(IspeakoftheprogrammingoftheHTMLandJavaScript)doesnotguaranteetheveracityofthesameones.

Itisimportanttodefinewhatyouwanttoreceiveontheserver.

AverycommonerrorIseeisthepersonwhousesthe$_GETvariabletogetthevalueofthepagethatwillbeincluded.

Example:

$page=$_GET['page'];Include'paginas/'.$page.'.php';

Intheaboveexample,obviouslyastringisexpected.Buttoknowthelevelofknowledgeoftheprogrammerjustpasspage[]=1asaparameter.Itwillnotbesurprisingifan"array conversion to string" appears because this was not expected.

In such cases, due to lack of verification, more ugly errors appear due to a lack of validation.

In this case, a simple filter_var or filter_input would solve the problem.

$page = filter_input(INPUT_GET, 'page');

if ($page === false) exit;

include 'paginas/' . $page . '.php';

Only mysql_escape_string does not guarantee anything. I suggest formatting and validating the data always the way you want to receive it.

In summary: You should never rely solely on client-side validation (the browser), since everything can be manipulated.

    
22.02.2017 / 14:40