Stop user from changing the option "value" in a dropdown list
This question is probably going to sound trivial but here it is...
I have a submission form with a dropdown menu, like the one below:
<li><label for="stateprovince">State/Province:</label>
<select name="stateprovince" id="stateprovince">
<option selected="selected" value=""></option>
<option value="northland">Northland</option>
<option value="auckland">Auckland</option>
<option value="waikato">Waikato</option>
<option value="bayofplenty">Bay of Plenty</option>
<option value="eastcoast">East Coast</option>
<option value="hawkesbay">Hawkes Bay</option>
<option value="taranaki">Taranaki</option>
<option value="kingcountry">King Country</option>
<option value="wanganui">Wanganui</option>
<option value="manawatu">Manawatu</option>
<option value="wairarapa">Wairarapa</option>
<option value="wellington">Wellington</option>
<option value="nelsonbays">Nelson Bays</option>
<option value="marlborough">Marlborough</option>
<option value="buller">Buller</option>
<option value="westland">Westland</option>
<option value="northcanterbury">North Canterbury</option>
<option value="canterbury">Canterbury</option>
<option value="midcanterbury">Mid Canterbury</option>
<option value="southcanterbury">South Canterbury</option>
<option value="northotago">North Otago</option>
<option value="otago">Otago</option>
<option value="southland">Southland</option>
<option value="chathamisl">Chatham Islands</option>
</select><br></li>
This was for part of an assignment/project I submitted last week and I only just found out this particular big I'm about to describe now...
I have the user select an option from the drop down menu like above, and once they select an item and开发者_JAVA百科 submit the form, the selected value gets inserted into a database. The trouble is that the user can modify the value of the "value" field in the tag in the dropdown menu. This "bad" value is inserted into the database and this is not what I want. For example, the user can change the value "otago" to something like "foobar" by inspecting the element and editing the source (or so the user told me).
Would putting values in a php array and checking the selected "value" against the values in the array and triggering an error message if there is a mismatch be a good way of trying to solve the problem? This is the first time I have had someone spot this for me and in terms of getting the correct data to be inserted into the database I would like to get this fixed.
Thanks in advance!
What you are looking at is called validation, or form-validation or user-input validation, etc. It is absolutely essential for security. Even very big websites/institutions have had serious problems by not doing this correctly. They continue to have these problems, though they should all know better.
Your idea of checking the values against a list of known possible values is a good one. In choosing between testing for a "good" answer ("whitelisting") vs. screening for bad values ("blacklisting"), it is more reliable to look for the good values. It is difficult to think of all the possible bad values which may be submitted.
If the list of possible good answers is finite and small, checking an array is a good solution since it uses exact values. It gets trickier when the possible value is not a small finite set, as when asking the user to enter their name. In these cases you often want to use regular expressions or some other form of pattern matching to test for an answer which conforms to a possible good answer (i.e. only letters and spaces) and also use a "parameterized query" when inserting the values into the database so that they will be properly escaped. Here's a fun link I found with a quick Google search: http://www.codinghorror.com/blog/2005/04/give-me-parameterized-sql-or-give-me-death.html
精彩评论