Performing a mysql_real_escape_string on checkboxes, radio buttons or drop-down menus?

Is there any way someone can do a sql injection for checkboxes, radio buttons or drop-down menus (ex. country, year of birth)?

Also, hypothetically, if someone enters their cat's name into a text field, would it be enough to run the following line of code before I insert them into the mysql table?

$catsName = preg_replace('/[^a-z]/i', '', $_POST['yourCat']);

Or would I have to this in additi开发者_JS百科on?

$catsName = mysql_real_escape_string($_POST['yourCat']);

The radio buttons, check boxes etc, have a value option in the HTML code, which can be easily changed with firebug(There are many other similar tools). So, its better if you sanitize all the input that the user gives.

And as for the second question, mysql_real_escape_string is enough. Dont need to do the preg_replace

Ad 1) SQL-injection can be tried everywhere. A form is transmitted as a list of name/value pairs, no matter if it is a checkbox, a dropdown or whatever. So also for your dropdown "country" I can send you arbitrary values.

Ad 2) Always uses your DBMS drivers functions for escaping and parameter binding.

Always assume the client is an evil genius, and smarter than you.

To avoid SQL injection, always escape client-side data with mysql_real_escape_string, or better yet, use a database wrapper which does it for you.

Your first regex is still useful though, but not for SQL injection. What you might be preventing there is HTML injection - if you ever displayed the input verbatim on a web page, you can prevent anything nefarious like some rogue javascript.

The ability to do SQL injection does not depend on the type of the input, it depends on how do you use the received value. Any HTML input control, and the resulting form submission, can be hand-edited to contain anything. Therefore any input must be sanitized and reduced to contain only the information you need.

So, if you use a checkbox as follows...

if ($_POST['checkbox'] == 'on') { $val = 1; } else { $ val = 0; }
mysql_query("UPDATE table SET checkbox=$val");

you're safe. On the other hand, if you decide to store the value received from the user directly and compare it...

mysql_query("UPDATE table SET checkbox={$_POST['checkbox']}")
...
if ($row['checkbox'] == 'on') { /* enable something */ }   

then "all your data will belong to hackers" :)

As for the second question, preg may be enough in this particular case, but if you change a regex, or modify it incorrectly, it could become insufficient. It is a good practice to always escape data given to the database to make sure such errors do not make your code vulnerable to SQL injection.