[SOLVED] Bypassing selects

[jaymc]

I have a profile system which allows members to input info and save it to the database for there profile

 

A few fields are SELECTS

 

From

Sexuality

Favourite Music

 

So for instance

 

From (England, Scotland, Wales, Ireland)

 

THat works fine, but what happens if someone makes a html document and injects code

 

<OPTION>HACK HAHA</OPTION>

 

Then posts it to my php that excutes and writes to the database

 

In essance they can bypass the select I have and input what ever data they want

 

Whats the best way around that, I was going to use a SET in the database structure but one of the selects has about 90 options

 

Ideas guys?

[john010117]

Use htmlentities() when filtering the user input.

[jaymc]

Im not bothered about them entering HTML etc, I just dont want them to be able to add there own content

 

I want them to only be able to select the cotent I have decided on via the drop down list where as some people are creating forms locally and posting them to my php for execution

[trq]

Simply check the posted vars against an array of valid options. eg;

 

<?php

  $valid = array('foo','bar','bob');
  if (!in_array($valid,$_POST['options'])) {
    echo "option not valid";
  }

?>

[jaymc]

Yeh I suppose thats the best way in PHP

 

Unless there is a way to stop executing my PHP if they are not posting from my URL

 

Im sure there is a way?

[chigley]

You can check the referer but it's not reliable, as people can still post from your URL and set an option that isn't supposed to be there with Javascript injections.

[jaymc]

Cheers guys!