I have done a bit of Googling but have yet to find an answer that helps me so basically right now I have a select field which has all the counties listed but if someone was to inspect element and change the value of one of the countries, they could write a random bit of data which would not do any damage in terms of SQL Injection but it would mess up the echoing of their country in a different page so how do I confirm none of the fields have been manipulated when the form has been submitted? Thanks
Thatās why you stop doing this.
And start doing this.
It will help fight against āSQL Injectionsā.
1 Like
You can have an array of acceptable values, compare against that, and reject anything that is not in_array. You also want to use htmlentities when outputting data.
If your DB is correctly normalized, your country values would be numbers, not names.
1 Like
My queries are no like that at all! Its all bindParam! There is no way for SQL injections but ppl can still inspect element, go to the select box, then option and edit the value to 50 and 50 might not be in the db so the data would not show up so how do I prevent editing this! There is no threat injection wise but someone could change the number to 8000 which is not in the db but 8000 would still be inserted into the country field etc.
So my question is how would I validate this?
Thanks
Ye they are numbers! 1-247 I think.
Here is my current code (btw iām using a custom built framework)
Model Code (This gets the countries):
public function getCountries()
{
$results = $this->db->select('msi_countries','status = 1 ORDER BY sorting ASC, name ASC');
return $results;
}
Controller code:
$getCountries = $this->setting->getCountries();
$data = [
'title' => LANG['createanaccount'],
'register' => $udata,
'getCountries' => $getCountries
];
View Code:
<select required name="country" class="custom-select">
<option value="">Select Country</option>
<?php foreach($data['getCountries'] as $message) : ?><option value="<?php echo $message['id']; ?>"><?php echo $message['name']; ?></option><?php endforeach; ?>
</select>
So then the getcountries is already put into an array but are you saying I do something like this?
if (in_array($countrypost, $data['getCountries']))
{
echo "Match found";
//proceed with db code
}
else
{
echo "Match not found";
}
You are on the right track. Since this is an error check you would do if not in array for whatever value that you are validating.
if (!in_array($value_to_validate, $valid_array_options))
{
$error[] = 'Your Error Message Here';
}
3 Likes
Ok. At least you are learning modern technology. You would just have to spare the value from what the user supplies to a value you define yourself. If the userās value is different from yours, they have most likely modified the elements. Since it failed, redirect them back and tell them to supply the correct fields.
Seems like benanamen beat me to it.
You can not prevent users altering whatever data you give them. You can not prevent users sending you crap data. The only way is to either not use data you do not expect, to store any value in place that only you have access to, or to validate it against a whitelist every time.
Iād do what @benanamen is suggesting but you might like to consider failing quietly. If someone is manipulating fields it might be better to let them think that it has been successful and mark it up in your database as something to check. That way they donāt know whether it worked or not.
Yes thatās what iām going to use the !in_array for to whitelist against!
Your right, thanks for the advice, iāll add a method that bans the user for a few weeks! etc.
Are you talking about html select tags.
If so, then the option tags have the name attribute and when a form is sent by POST the name attribute is sent with the value. So just use the name attribute and discard the value.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.