I was wondering… on all of my pages I have the JQuery library loaded. That means somebody could enter javascript:some_jquery_longhand() in the address bar of the browser and manipulate the page from the client side.
Obviously, inputs and textareas (among many others) need to be validated and sanitized. Should I also sanitize data that comes from <select> fields and expect some completely different input not in the <option> list? Or can <select> fields only submit the values contained within the hardcoded <option> list? Can they be manipulated from the client side?
You have to keep in mind that your server side script that processes “your form” actually just processes values POSTed to it. Anyone can initiate a POST request to that script with whatever data they want.
The easiest way to alter the <select> options is with something like Firebug in Firefox. The user can edit the markup live in the browser (in about 10 seconds) and change the values without having to write their own form.
I usually use [fphp]in_array[/fphp] to check that the submitted value is one of the allowed options.
Select menus are just as susceptible to security vulnerabilities as other form element. It would be in your sites best interest perform some type of validation check. You could go all out and just make sure that the item selected matches one available in the list. That is how I normally approach the situation. At the least you should be escaping the input if its being placed in the database.