Geek Answers Handbook

Protection against user input in the drop-down list?

Should we protect ourselves from unexpected input by the user from the drop-down lists? Can we expect the user to somehow modify the drop-down list to contain values ​​that were not originally included?

How can they do this and how can we stop him?

+4
source share
6 answers

Check this out absolutely.

Do something like this pseudo code on the receiving side:

if { posted_value is_element_of($array_of_your_choices) } //processing code else { //prompt them for good input }

So, for example: your drop-down list is the primary colors that they would like their home to be painted on. You will have (in PHP)

 $colors = array('red', 'blue', 'yellow'); if in_array($_POST['color'], $colors) { //process this code! dispatch the painters; } else {echo "sorry, that not a real color";}

Edit: It is certainly possible. If your values ​​are passed through a GET request, the user can simply enter www.example.com/?price=0 to get a free home. If this is a POST request, this may seem a little more complicated, but it really is not:

 curl_setopt($ch, CURLOPT_POSTFIELDS,"price=0");

People can simply use cURL to directly control the POST request, in addition to the trivially large number of other clients.

+12
source

The user can simply manually write an HTTP request that populated the malicious data. For example, for GET requests, you might have a "State" drop-down list that lists Alabama, Arkansas, etc. It can put http://example.com?state=evilstuff just plain in the browser url string.

This is easy to prevent, since you already know exactly what is in the drop-down list. Just checking if there is an entry in this list or not should be enough to prevent attacks like attack. If it puts something other than a valid state name, print an error.

+3
source

This can only be done by modifying the HTTP response. So,

  • yes, it can be done, and you need to protect yourself from it (i.e. check if this could be a security risk and, if so, check the input), but
  • No, you do not need to display the “nice” error message, as this cannot happen to a regular user “by accident”.
+2
source

When I'm bored, I edit drop-down lists on websites just for fun. This basically just breaks the site, but at least once I could get free or dramatically reduced ticket prices just by playing with the hidden fields of the site. (Alas, this was for the company I worked for, so I had to report an error.)

+1
source

Yes, an attacker can send data to your server without using your form and can send data that is not usually included in the drop-down list. This is a trivial form of attack that is often used in the real world.

Always check the input!

0
source

Some of the other answers are absolutely correct, you MUST check on the server side any data coming from the user.

At work, we use tools such as the Firefix plugin for Tamper Data to manipulate and view data sent to the server after the client-side check (javascript) has been performed. In addition, you can even use simple tools like Firebug to noticeably change the drop-down windows to contain values ​​that were not placed by the server before sending it.

0
source

More articles:


All Articles