floridaflatlander Posted November 19, 2013 Share Posted November 19, 2013 A php freak came into my site and did some testing for me and entered an item without a category, categories are 1 or greater than 1 and he entered a category of 0. I have since placed a query in the code to check the values of the categories entered but I was wondering how he did it, so I ask the question in the title. How did a user bypass the select option? Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted November 19, 2013 Share Posted November 19, 2013 all external data can be anything that someone or a bot script chooses to submit, cannot be trusted, and must be validated to insure it is an expected value or within an expected range of values. someone or a bot script doesn't need your form at all in order to submit data to your form processing code. Quote Link to comment Share on other sites More sharing options...
Ch0cu3r Posted November 19, 2013 Share Posted November 19, 2013 This most probably happened due to poor validation. You are not checking to make sure that the category is valid before inserting your record into to the database. Quote Link to comment Share on other sites More sharing options...
Solution JIXO Posted November 19, 2013 Solution Share Posted November 19, 2013 For answering how, there are many ways to manipulate a post request. If you've FireFox installed, download Tamper Data extension and see for your self, its simple enough. Quote Link to comment Share on other sites More sharing options...
floridaflatlander Posted November 19, 2013 Author Share Posted November 19, 2013 Thanks all Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.