is there any chance of sql injection through selectbox( dynamically created or static)

i want to know that is there any chance of SQL injection via selectbox options? if yes then will u please show some demonstration(or refer any link). and also tell me how do we prevent sql injection in selectbox.(using PHP MYSQL)

one more: i开发者_StackOverflow中文版f i create a selectbox dynamically( based on options of another select box) then is there any chance of SQLinjection?

Thanking you.

Yes. The attacker can just make up her own HTML form and post it to your URL. There are even a plugin to Firefox (Web Developer Toolbar) which can change the select field to a textbox on any page.

You can never trust data sent by the browser ($_GET, $_POST, $_COOKIE, $_REQUEST). Always sanitize your input.

Yes, there is still a chance of SQL injection with a select box. Upon postback, the client can actually put anything they like in the field for the select box, it doesn't have to be one of the values in the list.

You should always be validating your input, no matter where it comes from. Now, apart from the "standard" defences against SQL injection (e.g. parameterised queries, etc), with a select box you can add an extra check that the value posted back was actually one of the values that we in the list in the first place (this is assuming that you don't have javascript on the client that modifies the list of possible values, of course).

The injection is not done through the form, but through the PHP that handles the form. A person can send any arbitrary data as a name/value pair to your code and you would have no way of knowing whether it came from a select box, an input field, or was just made up on the spot. Always validate any data that comes from a form. Always assume that it is compromised.

A select box does help in that you know what values should be sent. If a value sent is not in that small set, then you know that something funny is going on and you can discard all of the input safely and give an error. It is good to verify everything that comes in to your code and out of it. Otherwise, you are setting yourself up for trouble, perhaps even by something that you did by accident.