Invalid Selection

[MatthewPatten]

How can I prevent someone from making an ivalid selection in a form? Lets say I had a select dropdown box and someone saved the HTML source from the browser, changed an item in the list, and changed the action to point back to my server eg. action="testsite.com/index.php". Then they open the file and try to submit the form.

[ginerjm]

Thats an important thing to pgm for!

 

Try sending a hidden field with ur form having a random value in it. Save that 'token' in ur session Then when the form is submitted check that incoming value against the saved session var.

 

Of course one should always validate all input at the server anyway

[MatthewPatten]

Thats an important thing to pgm for!

 

Try sending a hidden field with ur form having a random value in it. Save that 'token' in ur session Then when the form is submitted check that incoming value against the saved session var.

 

Of course one should always validate all input at the server anyway

 

What would that look like?

[Barand]

http://phpsecurity.org/code/ch02-5

[MatthewPatten]

Thank you!

Edited December 4, 2014 by MatthewPatten

[Psycho]

Using a hidden field with a "token" is fine if the user is recreating the form and submitting it directly, but it still has gaps. It is very easy to use a tool like Fiddler to capture requests from the browser and edit the data before allowing the request to go out to the server. A hidden field holding a token to tie the request to the session would do nothing to prevent such a modification.

 

To put it simply you can NEVER trust any data being supplied from the user. For a select list, you should have logic to create the list of valid values. You need to re-purpose that logic to verify if the submitted value is valid.

 

If you build your select list from a DB query, then you should run a query to see if the submitted value is in the DB. If the list is "fixed" I would suggest creating an array of the values. Use that array to build the list and use the same array to verify the submitted value. If coded properly, you should not need to modify code to add/edit/remove values from a select list to update the list or to verify the values. you should just need to update the DB, edit an array, etc. and it should all just work.

[CroNiX]

Psycho is correct, just using a token isn't nearly enough and is only PART of the solution. All I have to do is open up my browsers developer tools and change the value in the form itself and submit it...while I'm on your site (no downloading HTML locally and altering it and submitting it). It will accept the token you added because the correct token would be present and still submit the "illegal" value that I manually altered. And since you aren't doing any data validation, your app will just accept the illegal value.

 

So to reiterate...NEVER TRUST USER DATA without validating that it is the correct type/format/whatever that you need for each value being submitted by the user, whether it's form POST data, or GET data, or anything else.

 

So let's say your dropdown has 3 options in it that submits either "1", "2" or "3" as the value.

When the form is submitted, you must check to see that the value was either "1", "2" or 3 (the only legal/valid choices), whether it's a db query to see that the value exists in the db or some other way (checking against an array of acceptable values if the values are hardcoded and not coming from db). If the value was "4" or "A", you need to reject it and have an error that the user submitted an illegal value and to try again.

[MatthewPatten]

I am trying to stop an invalid selection (validate selection) from happening if a user modifies the source code. However,  I am unsure of how to do so. Here is my code below:

<form action="index.php" method="POST">
<?php
if (isset($_POST['course'])) {
    $course = htmlentities($course);
    //Prints if the student has been successfully enrolled into the course
    if ($success == 1) {
        echo '<font color="#12df12">You have successfully enrolled in ' . htmlspecialchars($course_name) . ' (' . htmlspecialchars($course) . ')!</font>';
    }
    //Prints if the person registering has entered data incorrectly into the form
    if ($found == 0) {
        echo '<font color="#ff0000">The credentials you have entered are incorrect, please try again.</font>';
    } else {
        //Prints if the student has already enrolled in the course
        if ($findregistered == 1) {
            $option = mysqli_query($link, "SELECT * FROM courses WHERE course_code = '$course'") or die(mysql_error());
            while ($row = mysqli_fetch_assoc($option)) {
                foreach ($row as $key1 => $value1) {
                    $$key1 = $value1;
                }
                echo '<font color="#ff0000">You have already enrolled in ' . htmlspecialchars($course_name) . ' (' . htmlspecialchars($course) . ')!</font>';
            }
        } else {
            //Prints if the course the student has selected is full
            if ($number_max == 1) {
                echo '<font color="#ff0000">Sorry ' . htmlspecialchars($course_name) . ' (' . htmlspecialchars($course) . ')  is full, please select another course.</font>';
            }
        }
    }
}
?>
<p>
	<input name="name" placeholder="Student Name" type="text">
	<input name="number" placeholder="Student Number" type="text">
</p>
<p>
	<select name="course" size="1">
		<option id="select">-- Select Course --</option>
<?php
$lf = "\n";
$ht = "\t\t";
$option = mysqli_query($link, "SELECT * FROM courses ORDER BY course_name") or die(mysql_error());
while ($row = mysqli_fetch_assoc($option)) {
    foreach ($row as $key1 => $value1) {
        $$key1 = $value1;
    }
    /**
     * Dynamically creates the option values for the select box based on course info from course_array
     * Added Currently Enrolled to the course list so the end-user would have an idea of how many were currently enrolled in the course.
     **/
     $a = $ht . '<option value="' . $course_code . '">' . $course_name . ' (Enrolled: ' . $enrollment . ')</option>' . $lf;
     echo $a;
}
mysqli_close($link);
?>
	</select>
</p>
<p>
	<input type="submit" value="Send"><input type="reset" value="Clear">
</p>
</form>

Edited December 6, 2014 by MatthewPatten

[Barand]

See

http://forums.phpfreaks.com/topic/292890-invalid-selection/?do=findComment&comment=1498515

[MatthewPatten]

I've been trying the methods that have been suggested, just cannot get it to work.

[mac_gyver]

I've been trying the methods that have been suggested, just cannot get it to work.

 

we can only help you with code problems if you post the relevant code and whatever symptoms or errors you are getting that lead you to believe your code isn't working.

 

P.S. - the code you posted, that's now post #8 in this thread, needs some serious reorganization. you have your form processing code intermixed with your form/html output. the form processing code should all be together and be near the start of your file and it should not have any html markup in it. the code that retrieves data to be output on the page and the code that produces the html should be at the end of your file. the code that is database dependent should store it's result in php variables that the code that produces the html output should use as input data. the code that produces the html output should not have any database specific statements in it.

 

by grouping the form processing code together, it will be easier for you and us to help you with the current task of adding validation logic to it, because you will only need to post just the form processing code.