Ok, some security expert books mention we should validate everything.
No metter if it is select dropdown menu, radio buttons or whatever (thing you might thing are validated).
This is true ofcourse because usually you could spoof the form submission with your own form.
But usually these things are coming from DB.
How do you dynamically validate these select menues for example.
After submit do I get the data to generate the select menu initially and check against the value coming from post?
Anybody of you actually doing this one?
filter input and spoofing form submission.
Moderator: General Moderators
Yes.
In dropdowns where I select the data to fill it, I also select the data after submission, and check to make sure its a value I expected.
In plaintext, I always run it through htmlentities();
As a general rule, make sure that form input is what you expect.
In dropdowns where I select the data to fill it, I also select the data after submission, and check to make sure its a value I expected.
In plaintext, I always run it through htmlentities();
As a general rule, make sure that form input is what you expect.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
I have a tendency to use post backs quite a bit, so on a page where I am dynamically generating a select menu, I usually read the result into an array and use the array to create the drop down. I create the array at the top part of the script so when the page is posted back, the array has already been created and is available for checking against.
Code: Select all
<?php
// create the array
if (form was posted)
{
//process the data and check against the array
}
//create the form using the array
?>and what about data coming from a database?
Do you treat it as being tainted before you use it - validate it?
Or you believe the data as you know it was validated at first place (when it goes to DB)
I guess it all depends on the scenario and who gots access to this database but for critical app the big book advise not to trust.
Most stuff you might as well constraint on DB side but still..
Any of you did this?
Do you treat it as being tainted before you use it - validate it?
Or you believe the data as you know it was validated at first place (when it goes to DB)
I guess it all depends on the scenario and who gots access to this database but for critical app the big book advise not to trust.
Most stuff you might as well constraint on DB side but still..
Any of you did this?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.
I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
This is exactly how I understood it.Everah wrote:Sorry, I should have been more clear. What I meant was that I create an array from the database. I use that one single array for two things: 1) Developing the form elements (this ensures that the form contains what you want it to) and 2) for validating $_POST data against (when the form is submitted I run it against the array to see if it is in the array). One array, one DB query, two purposes, two results.
I validate almost everything because you never know when some malicious person will get creative and use your site to practise on. Validate all the time.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Is there a possibility that data could get hijacked/corrupted while in the database? Sure. But like you said, you have to have some amount of data as your starting point. I typically reject user input that should not be allowed, and seriously validate what is passed to my applications. As for passing information that is coming from your database (as in the case of passing a select option id that was generated by the database) I usually check to make sure it is in the array I set initially, make sure it is of the type I am expecting, etc. But there really is no way to make sure what is in the database is what it is supposed to be (not that I can think of anyway).jmut wrote:This is exactly how I understood it.
The thing is do you trust your DB?
Maybe some other script or something could harm the db...hence problem when creating/validating form elements using the db.
Well...ultimately you have to rely on something sooner or later I guess