0

I previously had the form set up with just radio input so the value was only one or the other. The client now wants it to be a check box so you could search by multiple variables at once.

I setup a test jQuery method to making sure it was at least making the correct string to be submitted with the follow:

function showValues() {
    var datastr = $(".formC").find("input[type='checkbox']").serialize();
    $( "#bodyA" ).text( datastr );
}

$(".localSearch").on('click', showValues);

Here is the result:

expertise%5B%5D=Ancillary&expertise%5B%5D=LargeGroup&expertise%5B%5D=IndividualPlans

I am very new to AJAX, jQuery, and PHP but this seems like the correct string to be submitting.

Now I am using jQuery AJAX to submit the values over to my PHP page.

$('.localSearch').on('click', function() { //Pulls data based on radial input
    var dataStr = $(".formC").find("input[type='checkbox']").serialize();
    $.ajax({
        type: "POST",
        datatype: "html",
        data: {
            expertise: dataStr
        },
        url: "expertise.php",
        success: function (data) {
            $("#bodyA").html(data);
        }
    });
});

Here is what the form looks like: (The form contains more but these are the only elements for expertise.php)

<label for="agent">Agent Services:</label><br />
<label for="ancillary"><input type="checkbox" value="Ancillary" name="expertise[]" id="ancillary" />Ancillary</label><br />
<label for="smallgroup"><input type="checkbox" value="SmallGroup" name="expertise[]" id="smallgroup" />Small Group</label><br />
<label for="largegroup"><input type="checkbox" value="LargeGroup" name="expertise[]" id="largegroup" />Large Group</label><br />
<label for="medicare"><input type="checkbox" value="Medicare" name="expertise[]" id="medicare" />Medicare</label><br />
<label for="longterm"><input type="checkbox" value="LongTermCare" name="expertise[]" id="longterm" />Long Term Care</label><br />
<label for="individual"><input type="checkbox" value="IndividualPlans" name="expertise[]" id="individual" />Individual Plan</label><br />
<label for="tpa"><input type="checkbox" value="TPASelfInsured" name="expertise[]" id="tpa" />TPA Self Insured</label><br />
<label for="ppaca"><input type="checkbox" value="CertifiedForPPACA" name="expertise[]" id="ppaca" />Certified for PPACA</label><br />
<label for="acaind"><input type="checkbox" value="ACA_Ind" name="expertise[]" id="acaind" />Individual  Marketplace Certified</label><br />
<label for="acashop"><input type="checkbox" value="ACA_Shop" name="expertise[]" id="acashop" />Shop Marketplace Certified <br />(small group)</label><br />
<span class="localSearch">Submit</span>

I had it working when it was only dealing with one value but the string it creates seems to be the correct string. Any ideas on this? If you need anymore code or anything then just let me know!

Live site if needed

Josh Powell
  • 6,219
  • 5
  • 31
  • 59
  • 1
    congratulations you have won a free sql-injection to your live page. i prayed to eris that is isn't your live page. if it is, remove this script or otherwise someone will clean up your database. you should use perpared statements **and** ``bindParam`` for the parameters. otherwise it's not better than ``mysql_query('DROP DATABASE')`` – jwacalex Oct 07 '13 at 19:10
  • Alright, if you don't mind then how would someone inject an sql statement into a checkbox? Like I said I am new and I have tried to prevent it from what I have learned on my own. No one seems to answer this question though and I understand when the user has the ability to type something in but they don't here. – Josh Powell Oct 07 '13 at 19:15
  • it's very naive to think that a user won't inject some code. your basic problem is that you just throw the code into the statement. i just can record the request via a plugin, modify add the injection and send the new one to your script. if the request is submitted, everything is plaintext. everything your script is getting from outside (eg. userrequest) should be considered as malicious input and filtered/escaped/whatevered – jwacalex Oct 07 '13 at 19:20
  • I am not being naive about it and I greatly understand the threat of an sql injection. The problem I have, with php, is the lack of an education or solid introduction into it. I have tried to understand how to use `bindParam` but it just doesn't make any sense to me. This is where I tried to learn about it http://php.net/manual/en/mysqli-stmt.bind-param.php – Josh Powell Oct 07 '13 at 19:23
  • removing the code won't help because there is a history of revisions. a fix would be a whitelist of allowed expertise-fields. ``bindParam`` could be used if you add the right number placeholders via string operation. but i just think both ways are not the best one. maybe it would be better with another db-design and not have all expertieses as flag in the database. but i think this goes to far and doesn't solve your initial problem ;) – jwacalex Oct 07 '13 at 19:31
  • Hmm I appreciate your time and effort but how could someone drop my db when in my sql the value has to pass this: `$stmt->bind_result` which binds all of my values and doesn't allow other values to pass if they don't equal a known value. Am I missing something? At least anything in my database is of no value since I have to upload a text file from the actual database to phpmyadmin. I just don't see how It is possible but I will continue to figure out how to better prevent sql injection. – Josh Powell Oct 07 '13 at 19:41
  • if you look in the manual of ``bind_result``: "Binds columns in the **result** set to variables." an malicious query doesn't care about this. maybe you gain some security by obscurity because you hide some data. – jwacalex Oct 07 '13 at 19:53

1 Answers1

1

You're serializing everything in the checkbox element set. I suspect you just need the value of a given attribute (id or value). And only items that are checked. Here's an example of dumping selected checkboxes into an array:

$(".formC input:checkbox:checked").each(function(){ myArray.push($(this).val()); })

jQuery get values of checked checkboxes into array

Once you have an array, you can loop through it to put together your sql WHERE predicates.

Community
  • 1
  • 1
Tulkinghorn
  • 26
  • 1