Prevent data manipulation in select field!

security
general-dev

#1

I have done a bit of Googling but have yet to find an answer that helps me so basically right now I have a select field which has all the counties listed but if someone was to inspect element and change the value of one of the countries, they could write a random bit of data which would not do any damage in terms of SQL Injection but it would mess up the echoing of their country in a different page so how do I confirm none of the fields have been manipulated when the form has been submitted? Thanks


#2

That’s why you stop doing this.

57%20PM

And start doing this.

22%20PM

It will help fight against “SQL Injections”.


#3

You can have an array of acceptable values, compare against that, and reject anything that is not in_array. You also want to use htmlentities when outputting data.

If your DB is correctly normalized, your country values would be numbers, not names.


#4

My queries are no like that at all! Its all bindParam! There is no way for SQL injections but ppl can still inspect element, go to the select box, then option and edit the value to 50 and 50 might not be in the db so the data would not show up so how do I prevent editing this! There is no threat injection wise but someone could change the number to 8000 which is not in the db but 8000 would still be inserted into the country field etc.

So my question is how would I validate this?

Thanks


#5

Ye they are numbers! 1-247 I think.

Here is my current code (btw i’m using a custom built framework)
Model Code (This gets the countries):

    public function getCountries()
    {
        $results = $this->db->select('msi_countries','status = 1 ORDER BY sorting ASC, name ASC');
        return $results;
    }

Controller code:

$getCountries = $this->setting->getCountries();
            $data = [
                'title' => LANG['createanaccount'],
                'register' => $udata,
                'getCountries' => $getCountries
            ];

View Code:

                                    <select required name="country" class="custom-select">  
                                        <option value="">Select Country</option>
                                        <?php foreach($data['getCountries'] as $message) : ?><option value="<?php echo $message['id']; ?>"><?php echo $message['name']; ?></option><?php endforeach; ?>
                                    </select>

So then the getcountries is already put into an array but are you saying I do something like this?

if (in_array($countrypost, $data['getCountries']))
  {
  echo "Match found";
//proceed with db code
  }
else
  {
  echo "Match not found";
  }

#6

You are on the right track. Since this is an error check you would do if not in array for whatever value that you are validating.

if (!in_array($value_to_validate, $valid_array_options)) 
{
$error[] = 'Your Error Message Here';
}

#7

Ok. At least you are learning modern technology. You would just have to spare the value from what the user supplies to a value you define yourself. If the user’s value is different from yours, they have most likely modified the elements. Since it failed, redirect them back and tell them to supply the correct fields.

Seems like benanamen beat me to it.


#8

You can not prevent users altering whatever data you give them. You can not prevent users sending you crap data. The only way is to either not use data you do not expect, to store any value in place that only you have access to, or to validate it against a whitelist every time.


#9

I’d do what @benanamen is suggesting but you might like to consider failing quietly. If someone is manipulating fields it might be better to let them think that it has been successful and mark it up in your database as something to check. That way they don’t know whether it worked or not.


#10

Yes that’s what i’m going to use the !in_array for to whitelist against!


#11

Your right, thanks for the advice, i’ll add a method that bans the user for a few weeks! etc.


#12

Are you talking about html select tags.
If so, then the option tags have the name attribute and when a form is sent by POST the name attribute is sent with the value. So just use the name attribute and discard the value.