One of the possible ways to validate would be to use the in_array
function of PHP to do this check.
if (! in_array($_POST['valor'], ['opt1', 'opt2', 'opt3']) {
// inválido
}
Because someone could edit the value of your select
, that person could easily enter an unknown value there in your database table.
See:
Inthisexampleabove,Icouldsimplychangethevalueonthefrontendandsubmitasubmission.
Inaddition,therearetoolsthatallowyoutosubmitaform,regardlessofitsdefinition,suchastheGoogleChromeplugin.WithititispossibletosendrequeststoacertainURL,beingabletobepassedthevaluethatyouwant.So,knowingtheURL,IcansendwhateverIwanttoyourserver.
ThisiswhyIstronglyrecommendthatthevalidationbealwaysdoneontheserver,sinceitsstructureforsendingthedatabytheclientside(IspeakoftheprogrammingoftheHTMLandJavaScript)doesnotguaranteetheveracityofthesameones.
Itisimportanttodefinewhatyouwanttoreceiveontheserver.
AverycommonerrorIseeisthepersonwhousesthe$_GETvariabletogetthevalueofthepagethatwillbeincluded.
Example:
$page=$_GET['page'];Include'paginas/'.$page.'.php';
Intheaboveexample,obviouslyastringisexpected.Buttoknowthelevelofknowledgeoftheprogrammerjustpasspage[]=1
asaparameter.Itwillnotbesurprisingifan"array conversion to string" appears because this was not expected.
In such cases, due to lack of verification, more ugly errors appear due to a lack of validation.
In this case, a simple filter_var
or filter_input
would solve the problem.
$page = filter_input(INPUT_GET, 'page');
if ($page === false) exit;
include 'paginas/' . $page . '.php';
Only mysql_escape_string
does not guarantee anything. I suggest formatting and validating the data always the way you want to receive it.
In summary: You should never rely solely on client-side validation (the browser), since everything can be manipulated.