jaymc Posted May 20, 2007 Share Posted May 20, 2007 I have a profile system which allows members to input info and save it to the database for there profile A few fields are SELECTS From Sexuality Favourite Music So for instance From (England, Scotland, Wales, Ireland) THat works fine, but what happens if someone makes a html document and injects code <OPTION>HACK HAHA</OPTION> Then posts it to my php that excutes and writes to the database In essance they can bypass the select I have and input what ever data they want Whats the best way around that, I was going to use a SET in the database structure but one of the selects has about 90 options Ideas guys? Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/ Share on other sites More sharing options...
john010117 Posted May 20, 2007 Share Posted May 20, 2007 Use htmlentities() when filtering the user input. Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257304 Share on other sites More sharing options...
jaymc Posted May 20, 2007 Author Share Posted May 20, 2007 Im not bothered about them entering HTML etc, I just dont want them to be able to add there own content I want them to only be able to select the cotent I have decided on via the drop down list where as some people are creating forms locally and posting them to my php for execution Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257601 Share on other sites More sharing options...
trq Posted May 20, 2007 Share Posted May 20, 2007 Simply check the posted vars against an array of valid options. eg; <?php $valid = array('foo','bar','bob'); if (!in_array($valid,$_POST['options'])) { echo "option not valid"; } ?> Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257605 Share on other sites More sharing options...
jaymc Posted May 20, 2007 Author Share Posted May 20, 2007 Yeh I suppose thats the best way in PHP Unless there is a way to stop executing my PHP if they are not posting from my URL Im sure there is a way? Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257613 Share on other sites More sharing options...
chigley Posted May 20, 2007 Share Posted May 20, 2007 You can check the referer but it's not reliable, as people can still post from your URL and set an option that isn't supposed to be there with Javascript injections. Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257634 Share on other sites More sharing options...
jaymc Posted May 20, 2007 Author Share Posted May 20, 2007 Cheers guys! Quote Link to comment https://forums.phpfreaks.com/topic/52170-solved-bypassing-selects/#findComment-257653 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.