ajoo Posted November 22, 2014 Share Posted November 22, 2014 Hi all ! While it is clear that the input in an input text box requires to be filtered or sanitized, yet it is not clear to me if and why would the input of a dropdown menu / checkboxes / radio require to be filtered or sanitized. Can someone tell me if these inputs require sanitization? if yes, can you please explain how these would pose a security threat if left un-sanitized. Thanks ! Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/ Share on other sites More sharing options...
Barand Posted November 22, 2014 Share Posted November 22, 2014 The page it is sent to has no way of knowing whether the input comes from your dropdown or a malevolent source. Assume anything that come from a user source (COOKIE, GET, POST) is suspect. So, yes. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497342 Share on other sites More sharing options...
ajoo Posted November 23, 2014 Author Share Posted November 23, 2014 Hi Guru Barand !! Grateful to you for your help earlier and this reply. Yes I totally overlooked that. What sort of attack would the hacker need to make to send data to the website from a different page? Thank you again. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497354 Share on other sites More sharing options...
QuickOldCar Posted November 23, 2014 Share Posted November 23, 2014 Because someone can use curl and do a POST or make their own form and direct it to your script. Protect and check your incoming data on the receiving script itself, then it doesn't matter where it comes from. Be sure is data you expect, filter/sanitize/escape anything before you use it. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497363 Share on other sites More sharing options...
ajoo Posted November 23, 2014 Author Share Posted November 23, 2014 Hi QOC, Thanks for that tip. Yes I am sanatizing the incoming data. Another thing that i wish to ask is that if I am sanatising a number by using a regex, is it possible for me to add a limit to the numbers as well. For e.g. if i use a regex like this : \Aall\z|[0-9]{1,2} , then this checks for the word 'all' or numbers from 1 to 999. What if I wanted to limit the highest number to 49, that is I wanted numbers from 0 to max number 49, then how can I do that. Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497395 Share on other sites More sharing options...
Barand Posted November 23, 2014 Share Posted November 23, 2014 Have a look at the filter_input() function. Filter options will allow for range checks on integers. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497398 Share on other sites More sharing options...
ajoo Posted November 23, 2014 Author Share Posted November 23, 2014 Thanks Guru Barand, Will do so. I have a few more questions that have occurred to me and which I would like to clarify. I had asked above "What sort of attack would the hacker need to make to send data to the website from a different page? " 1. Would that not be an XSS attack? 2. Is that not prevented by issuing and then checking for the value of a random token String in the forms? Sure I would still use sanitization on the input data but I am just asking this for my own understanding. Also QucikOldCar said "Because someone can use curl and do a POST or make their own form and direct it to your script.". 3. Since I am trying implement captcha on a login form, I am wondering if someone can create POST data using curl or a form, won't the same person be able to also generate captcha values and send them too thus defeating the purpose of captcha? I am not so sure about this one though because I feel that captcha values are server generated and the hacker would not be able to generate those on his own. Kindly clarify Thanks all. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497423 Share on other sites More sharing options...
QuickOldCar Posted November 23, 2014 Share Posted November 23, 2014 Bots and humans alike beat captchas, many of the popular or poorly written ones are being bypassed. They use ocr or even humans to bypass, reuse a session id for capcha images Your best bet is using reCatpcha , although some manage to get past occasionally, google frequently changes it so they can't. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497427 Share on other sites More sharing options...
ajoo Posted November 24, 2014 Author Share Posted November 24, 2014 Wow !! Thank's for that information as well. Wonder what would be next on the security front. By the way I was wrong about the attack that I thought was XSS. That is a CSRF attack. Thanks everybody. Quote Link to comment https://forums.phpfreaks.com/topic/292646-does-dropdown-menu-input-require-filteration/#findComment-1497461 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.