Page 1 of 1

Verifying Drop Down Code?

Posted: Mon Sep 16, 2002 5:14 pm
by JPlush76
Do you validate drop down data when you do a form submit?

I do validiation on all the user input fields, name, address, email, etc..

but I have drop downs like STATE, COUNTRY, etc....

if you don't validate the data coming in from the drop downs is that a security risk? Can someone view source, change the option value to malicious code?

Posted: Mon Sep 16, 2002 5:16 pm
by Takuma
Yes they could...

Posted: Mon Sep 16, 2002 6:52 pm
by jason
They could easily just make the form in a normal HTML, and submit it that way.

I use dropdowns with SET or ENUM fields in MySQL, which means whatever checking I do, MySQL will still only accept certain data.

Posted: Mon Sep 16, 2002 6:56 pm
by JPlush76
basically I'm just doing some simple checking on the data coming in. Should I be a little more secure or do you think this is good enough?

Code: Select all

<?php
// Check the first name.	
	if (eregi ("^їa-z]+$", $_POSTї'f_first'])) {
		$a = TRUE;
	} else {
		$a = FALSE;
		$messageї] = "Please enter a first name that consists only of letters.";
	}
	
// Check the last name.	
	if (eregi ("^їa-z]+$", $_POSTї'f_last'])) {
		$b = TRUE;
	} else {
		$b = FALSE;
		$messageї] = "Please enter a last name that consists only of letters.";
	}
	
// Check the telephone
	if (eregi ("^ї0-9]{10}$", $_POSTї'f_phone'])) {
		$c = TRUE;
	} else {
		$c = FALSE;
		$messageї] = "Please enter a phone number that consists only of numbers and is 10 numbers long.";
	}
?>
I'm just really checking to make sure numbers and letters are submitted

Posted: Tue Sep 17, 2002 12:54 am
by Takuma
That'll make the hackers go mad.... :lol:
You could use "===" can't you if you need to anyway.
Unless you have something important in drop down menu no-one is going to try and make a new form and do stuff with it.