How to protect yourself from malicious entry through a select dropdown?

Asked

Viewed 148 times

0

I own a form with a few options of select, example :

<select id="sel1" name="sel1">
    <option disabled selected style="display: none">Titulo</option>
    <option value="op1">op1</option>
    <option value="op2">op2</option>
    <option value="op3">op3</option>
</select>

My question is, if you treat this entry with mysqli_real_escape_string is sufficient, example :

$sel1 =  mysqli_real_escape_string($con, $_POST['sel1']);

Or do I need some more care, if yes what the points should be ?

php sql-injection

2 answers

1

One of the possible ways to validate would be using the function in_array PHP to make this check. 

if (! in_array($_POST['valor'], ['opt1', 'opt2', 'opt3']) {
   // inválido
}

Because someone could edit, via the developer’s tool, the value of your select, that person could easily insert an unknown value there in their database table.

Behold:

Segurança num Select

In this example above, I could simply change the value in front-end and submit a submission.

Furthermore, there are tools that allow sending form, regardless of its definition, such as the Postman plugin, from Google Chrome. With it you can send requests to a given URL, you can pass the value you want. So, knowing the URL, I can send what I want to your server.

That is why I strongly recommend that the validation is always done on the server, since its structure for sending the data on the client side (HTML and Javascript programming) does not guarantee the veracity of the same.

It is important to define what you want to receive on the server.

A very common error I see is the person who uses the $_GET variable to get the value of the page that will be included.

Example:

 $page = $_GET['page'];
 Include 'paginas/' . $page . '.php';

In the example above you obviously expect a string. But to know the level of knowledge of the programmer just pass a page[]=1 as parameter. It will not be surprising if an "array Conversion to string" appears, as this was not expected.

In such cases for lack of verification appear uglier errors, because of lack of validation.

In this case a simple filter_var or filter_input would solve the problem.

$page = filter_input(INPUT_GET, 'page');

if ($page === false) exit;

include 'paginas/' . $page . '.php';

Only mysql_escape_string does not guarantee anything. I suggest formatting and validating the data always the way you want to receive.

In short: You should never rely solely on client-side validation (the browser), since everything can be manipulated.

  • " then you would have an unknown option there in your database table" which could be an Injection command ?

  • @Magichat I will post a more complete example at my lunch. It’s a quieter time :p. But in advance: if the guy edit the "value" of his "option" he can send up a array to your backend if he wants.

  • No hurry, buddy... Tks

  • @Magichat if the guy does name="sel[][][]", you may receive a array in an inexperienced place. I will elaborate an answer that will teach you how to use filter_var or filter_input.

  • Without this filter a nut could send an "opXXXX" in the value of "sel1", like: "sel1=Queéop", then you would register in the bank as "Quequeéop", and it was not a valid option (the "validated" would be only op1, op2 and op3).

  • @Exact inkeliz. Ever heard of "Postman"? You can put anything in the form and make a Submit :p

  • @Wallacemaxters if possible, also address the first option of the dropdown list, which does not have a name, I have to take some care of her tmb ?

Show 2 more comments

1

I would say that the basic rule for any information sent by the user is "never trust the information sent by the customer"

I must say that I don’t work with PHP, but this applies to any language, while using the mysqli_real_escape_string or equivalents in other languages gives you the security (if used correctly) that you will not have SQL Injection problem it does not guarantee you that the information the user sent is correct.

You should always validate all the information that the user sends, in the case of a Dropdown you should make sure that the user could have chosen the value that was sent, and usually you should do two validations, one for javascript, it is not really necessary but helps to avoid incorrect posts of legitimate users, and the other, this mandatory, is on the server, because only there you can be sure that the data is correct.

Browser other questions tagged php sql-injection

You are not signed in. Login or sign up in order to post.