Does dropdown menu input require filteration?

[ajoo]

Hi all !

 

While it is clear that the input in an input text box requires to be filtered or sanitized, yet it is not clear to me if and why would the input of a dropdown menu / checkboxes / radio require to be filtered or sanitized.

 

Can someone tell me if these inputs require sanitization? if yes, can you please explain how these would pose a security threat if left un-sanitized.

 

Thanks !  

[Barand]

The page it is sent to has no way of knowing whether the input comes from your dropdown or a malevolent source. Assume anything that come from a user source (COOKIE, GET, POST) is suspect.

 

So, yes.

[ajoo]

Hi Guru Barand !!

 

Grateful to you for your help earlier and this reply. Yes I totally overlooked that.

 

What sort of attack would the hacker need to make to send data to the website from a different page? 

 

Thank you again. 

[QuickOldCar]

Because someone can use curl and do a POST or make their own form and direct it to your script.

 

Protect and check your incoming data on the receiving script itself, then it doesn't matter where it comes from.

Be sure is data you expect, filter/sanitize/escape anything before you use it.

[ajoo]

Hi QOC, Thanks for that tip. Yes I am sanatizing the incoming data. 

 

Another thing that i wish to ask is that if I am sanatising a number by using a regex, is it possible for me to add a limit to the numbers as well. 

 

For e.g. if i use a regex like this  : \Aall\z|[0-9]{1,2} , then this checks for the word 'all' or numbers from 1 to 999.

 

What if I wanted to limit the highest number to 49, that is I wanted numbers from 0 to max number 49, then how can I do that.

 

Thanks.

 

 

[Barand]

Have a look at the filter_input() function. Filter options will allow for range checks on integers.

[ajoo]

Thanks Guru Barand, 

 

Will do so.

 

I have a few more questions that have occurred to me and which I would like to clarify.

 

I had asked above "What sort of attack would the hacker need to make to send data to the website from a different page? " 

1. Would that not be an XSS attack? 

2. Is that not prevented by issuing and then checking for the value of a random token String in the forms? 

 

Sure I would still use sanitization on the input data but I am just asking this for my own understanding.

 

Also QucikOldCar said

 

"Because someone can use curl and do a POST or make their own form and direct it to your script.".

 

3. Since I am trying implement captcha on a login form, I am wondering if someone can create POST data using curl or a form, won't the same person be able to also generate captcha values and send them too thus defeating the purpose of captcha?  I am not so sure about this one though because I feel that captcha values are server generated and the hacker would not be able to generate those on his own.

 

Kindly clarify

 

Thanks all.  

 

[QuickOldCar]

Bots and humans alike beat captchas, many of the popular or poorly written ones are being bypassed.

 

They use ocr or even humans to bypass, reuse a session id for capcha images

 

Your best bet is using reCatpcha , although some manage to get past occasionally, google frequently changes it so they can't.

[ajoo]

Wow !! Thank's for that information as well. Wonder what would be next on the security front.

 

By the way I was wrong about the attack that I thought was XSS. That is a CSRF attack.

 

Thanks everybody.