Verifying Drop Down Code?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Verifying Drop Down Code?

Post by JPlush76 »

Do you validate drop down data when you do a form submit?

I do validiation on all the user input fields, name, address, email, etc..

but I have drop downs like STATE, COUNTRY, etc....

if you don't validate the data coming in from the drop downs is that a security risk? Can someone view source, change the option value to malicious code?
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

Yes they could...
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

They could easily just make the form in a normal HTML, and submit it that way.

I use dropdowns with SET or ENUM fields in MySQL, which means whatever checking I do, MySQL will still only accept certain data.
JPlush76
Forum Regular
Posts: 819
Joined: Thu Aug 01, 2002 5:42 pm
Location: Los Angeles, CA
Contact:

Post by JPlush76 »

basically I'm just doing some simple checking on the data coming in. Should I be a little more secure or do you think this is good enough?

Code: Select all

<?php
// Check the first name.	
	if (eregi ("^їa-z]+$", $_POSTї'f_first'])) {
		$a = TRUE;
	} else {
		$a = FALSE;
		$messageї] = "Please enter a first name that consists only of letters.";
	}
	
// Check the last name.	
	if (eregi ("^їa-z]+$", $_POSTї'f_last'])) {
		$b = TRUE;
	} else {
		$b = FALSE;
		$messageї] = "Please enter a last name that consists only of letters.";
	}
	
// Check the telephone
	if (eregi ("^ї0-9]{10}$", $_POSTї'f_phone'])) {
		$c = TRUE;
	} else {
		$c = FALSE;
		$messageї] = "Please enter a phone number that consists only of numbers and is 10 numbers long.";
	}
?>
I'm just really checking to make sure numbers and letters are submitted
User avatar
Takuma
Forum Regular
Posts: 931
Joined: Sun Aug 04, 2002 10:24 am
Location: UK
Contact:

Post by Takuma »

That'll make the hackers go mad.... :lol:
You could use "===" can't you if you need to anyway.
Unless you have something important in drop down menu no-one is going to try and make a new form and do stuff with it.
Post Reply