On Wed, Aug 25, 2010 at 01:05:12PM -0400, David Mehler wrote:

> Hello,
> Thanks to all who answered my quotes question. I've got another one.
> I've got several combo boxes that are sticky, below is an example of
> one and the function. Now i'd like to tighten it up by ensuring that
> an external user can't inject values other than value1 or value2 in to
> the script. This sounds like an array.
> <select name="box1" id="box1">
> <option value="value1" <?php set_selected('box1', 'value1'); 
> ?>>Value1</option>
> <option value="value2" <?php set_selected('box2', 'value2'); 
> ?>>Value2</option>
> </select>
> function set_selected($fieldname, $value)
> {
>        if ($_POST[$fieldname] == $value)
>                echo 'selected="selected"';
> }
> Thanks.
> Dave.

What you've done is fine, but don't believe a user can't inject values
here, regardless of what you've done. All they have to do is call the
URL that's in the "action" attribute of your form tag, and give it any
values they like.

If you simply want to control a normal user's choices, the above will do
it fine. If you want to prevent hacking, you'll have to sanitize the
values once they're received from the form.


Paul M. Foster

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to