Jump to content

Recommended Posts

Hi all !

 

While it is clear that the input in an input text box requires to be filtered or sanitized, yet it is not clear to me if and why would the input of a dropdown menu / checkboxes / radio require to be filtered or sanitized.

 

Can someone tell me if these inputs require sanitization? if yes, can you please explain how these would pose a security threat if left un-sanitized.

 

Thanks !  

The page it is sent to has no way of knowing whether the input comes from your dropdown or a malevolent source. Assume anything that come from a user source (COOKIE, GET, POST) is suspect.

 

So, yes.

Because someone can use curl and do a POST or make their own form and direct it to your script.

 

Protect and check your incoming data on the receiving script itself, then it doesn't matter where it comes from.

Be sure is data you expect, filter/sanitize/escape anything before you use it.

Hi QOC, Thanks for that tip. Yes I am sanatizing the incoming data. 

 

Another thing that i wish to ask is that if I am sanatising a number by using a regex, is it possible for me to add a limit to the numbers as well. 

 

For e.g. if i use a regex like this  : \Aall\z|[0-9]{1,2} , then this checks for the word 'all' or numbers from 1 to 999.

 

What if I wanted to limit the highest number to 49, that is I wanted numbers from 0 to max number 49, then how can I do that.

 

Thanks.

 

 

Thanks Guru Barand, 

 

Will do so.

 

I have a few more questions that have occurred to me and which I would like to clarify.

 

I had asked above "What sort of attack would the hacker need to make to send data to the website from a different page? " 

1. Would that not be an XSS attack? 

2. Is that not prevented by issuing and then checking for the value of a random token String in the forms? 

 

Sure I would still use sanitization on the input data but I am just asking this for my own understanding.

 

Also QucikOldCar said

 

"Because someone can use curl and do a POST or make their own form and direct it to your script.".

 

3. Since I am trying implement captcha on a login form, I am wondering if someone can create POST data using curl or a form, won't the same person be able to also generate captcha values and send them too thus defeating the purpose of captcha?  I am not so sure about this one though because I feel that captcha values are server generated and the hacker would not be able to generate those on his own.

 

Kindly clarify

 

Thanks all.  

 

Bots and humans alike beat captchas, many of the popular or poorly written ones are being bypassed.

 

They use ocr or even humans to bypass, reuse a session id for capcha images

 

Your best bet is using reCatpcha , although some manage to get past occasionally, google frequently changes it so they can't.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.