Page 1 of 1
filter input and spoofing form submission.
Posted: Mon May 22, 2006 4:19 am
by jmut
Ok, some security expert books mention we should validate everything.
No metter if it is select dropdown menu, radio buttons or whatever (thing you might thing are validated).
This is true ofcourse because usually you could spoof the form submission with your own form.
But usually these things are coming from DB.
How do you dynamically validate these select menues for example.
After submit do I get the data to generate the select menu initially and check against the value coming from post?
Anybody of you actually doing this one?
Posted: Mon May 22, 2006 11:42 am
by s.dot
Yes.
In dropdowns where I select the data to fill it, I also select the data after submission, and check to make sure its a value I expected.
In plaintext, I always run it through htmlentities();
As a general rule, make sure that form input is what you expect.
Posted: Mon May 22, 2006 11:48 am
by RobertGonzalez
I have a tendency to use post backs quite a bit, so on a page where I am dynamically generating a select menu, I usually read the result into an array and use the array to create the drop down. I create the array at the top part of the script so when the page is posted back, the array has already been created and is available for checking against.
Code: Select all
<?php
// create the array
if (form was posted)
{
//process the data and check against the array
}
//create the form using the array
?>
Posted: Fri May 26, 2006 12:58 am
by jmut
and what about data coming from a database?
Do you treat it as being tainted before you use it - validate it?
Or you believe the data as you know it was validated at first place (when it goes to DB)
I guess it all depends on the scenario and who gots access to this database but for critical app the big book advise not to trust.
Most stuff you might as well constraint on DB side but still..
Any of you did this?
Posted: Fri May 26, 2006 1:04 am
by RobertGonzalez
Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.
I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
Posted: Fri May 26, 2006 2:58 am
by jmut
Everah wrote:Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.
I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
This is exactly how I understood it.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess

Posted: Fri May 26, 2006 2:58 am
by Maugrim_The_Reaper
If you take the approach of validating all input (correctly, and accounting for magic_quotes), then a second validation of database values has really diminished returns. At this point I'd usually just remember to escape it before it's output to a user.
Posted: Fri May 26, 2006 10:51 am
by RobertGonzalez
jmut wrote:This is exactly how I understood it.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess

Is there a possibility that data could get hijacked/corrupted while in the database? Sure. But like you said, you have to have some amount of data as your starting point. I typically reject user input that should not be allowed, and seriously validate what is passed to my applications. As for passing information that is coming from your database (as in the case of passing a select option id that was generated by the database) I usually check to make sure it is in the array I set initially, make sure it is of the type I am expecting, etc. But there really is no way to make sure what is in the database is what it is supposed to be (not that I can think of anyway).