-1

I recently asked a question regarding a form that contains only radio buttons.. an experienced user answered and also told me that i am wide open to SQL injections. could someone please explain how? - there is no text user input.

Community
  • 1
  • 1
MFA
  • 129
  • 7
  • please show what have you tried ? – NullPoiиteя Feb 15 '13 at 11:33
  • *any* input that ends up in the Superglobals needs to be sanitized. Any. Radio buttons are no exceptions. Their values get send to your script and they can easily be tampered with. – Gordon Feb 15 '13 at 11:34
  • The rule of thumb is NEVER trust ANY data that arrives to your server. ALWAYS assume that the data is harmful, until you prove otherwise. NEVER assume that the values which arrive are the values you expect. – GarethL Feb 15 '13 at 11:45

4 Answers4

2

A user can easily edit the HTML or otherwise alter what is being submitted. Just because they are radio buttons does not mean they can not alter the values; they could set them to be anything at all, including values that could cause injection.

Common browser tools enable users to modify HTTP requests, so someone could easily change your radio button value to anything at all.

Andrew Barber
  • 39,603
  • 20
  • 94
  • 123
1

Any user can edit those fields using a DOM explorer such as Firebug in Firefox or the included one in Chrome. (inspect element option)

There is no user input, but users can still editing the DOM structure and contain.

But not only editing them. If you site is not secure agains Cross-Site Scripting Attacks (XSS), anyone can create a form in his own computer or host with his own inputs and sent it to your site by POST.

You can read more about security and PHP in this site.

The best way to avoid SQL injection, apart from filtering inputs, is using secure calls to the DB using PDO or prepared statements.

For example:

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);


// insert one row
$name = 'one';
$value = 1;
$stmt->execute();
Alvaro
  • 40,778
  • 30
  • 164
  • 336
1

A form provides a means for people to submit data to your HTTP end point, but people do not need to use it to submit data. For example, they can create their own form, or construct an HTTP request by hand.

Nothing you send to the client can prevent people from submitting whatever they want.

The end point needs to be secure against any input because you cannot control what input it will receive.

Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
0

A malicious user dose not need your form to create there own POST request to your server. they only need know the form keys your server accepts, then they can create there own request.

If you are allowing un-escaped $_POST/$_GET/$_REQUEST/$_COOKIE/(some $_SERVER) values directly inserted into your query then you are effected.

To be safe use parametrised query's with PDO or mysqli.

Please read this post: How can I prevent SQL injection in PHP?

Community
  • 1
  • 1
Lawrence Cherone
  • 46,049
  • 7
  • 62
  • 106