html form selector security vulnerability

Question

if i have this simple form selector below:

<form id="myform" class="form" role="form" accept-charset="utf-8" method="post" action="/mypage.php">
    <select id="gender" name="gender">
     <option selected="" value=""></option>
     <option value="man">man</option>
     <option value="women">women</option>
    </select>
    <button type="submit" name="insert"> Send </button>
</form>

and this little php code to retrieve data:

    if (isset($_POST['insert'])) {
        if(!isset($_POST['gender']) || strlen($_POST['gender'])<3)
        {
                        header('location:'.$_SERVER['PHP_SELF'].'?error');
                        exit;
        }

        $gender = ($_POST['gender']);
     ...
    // INSERT INTO DATABASE
    }

and now someone with Firebug modify the option value from "man" to "vulnerability" and click submit this new value will be insert into my database and not the previous one.

My question is: how can i prevent this with php language ?

thanks.

You would sanitize your inputs. Check this out: http://stackoverflow.com/questions/1637275/simple-html-sanitizer-in-javascript — Joshua Terrill, Mar 19 '14 at 07:42
could be that i need the "simple if-else logic check" to match the only two value options possible ? — Fregt_ngul, Mar 19 '14 at 07:59
No, it has to do with escaping certain values that get put into your select box. Look at what @The-Doctor has posted below. — Joshua Terrill, Mar 19 '14 at 08:04
This will help you a ton: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php — Joshua Terrill, Mar 19 '14 at 08:06

score 2 · Accepted Answer · answered Mar 19 '14 at 08:09

2

Since you have a defined set of possible values, it’s easy to validate the submitted value:

$options = array('', 'man', 'woman');
if (!in_array($_POST['gender'], $options)) {
    // invalid value
}

answered Mar 19 '14 at 08:09

Gumbo

643,351
109
780
844

score 1 · Answer 2 · edited Jan 18 '21 at 12:39

Your Database part is not given, so I can't assure exactly what solution will be perfect for you. Though, it is better if you use PDO bind system in this case along with some simple if-else logic check.

like this example:

$this->db_connection = new PDO('mysql:host='. DB_HOST .';dbname='. DB_NAME . ';charset=utf8', DB_USER, DB_PASS);

$query_new_user_insert = $this->db_connection->prepare('INSERT INTO users (user_name, user_password_hash, user_email, user_activation_hash, user_registration_ip, user_registration_datetime, usertype, user_fname, user_lname) VALUES(:user_name, :user_password_hash, :user_email, :user_activation_hash, :user_registration_ip, now(), :usertype, :user_fname, :user_lname)');
                
                $query_new_user_insert->bindValue(':user_name', $user_name, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_password_hash', $user_password_hash, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_email', $user_email, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_activation_hash', $user_activation_hash, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_registration_ip', $_SERVER['REMOTE_ADDR'], PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':usertype', $usertype, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_fname', $user_fname, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_lname', $user_lname, PDO::PARAM_STR);
                $query_new_user_insert->execute();

Now you can see here we are binding values. He will never know your variables here. Also, you can use Generated form instead of directly coding one. Also using array for passing data is another good practice too! Check this out: https://blog.stackoverflow.com/2008/06/safe-html-and-xss/

real_escape_string is not needed if you use PDO prepare() as I shown above. PDO is modern PHP base than the other alternative(you can use PDO::quote()) @user3436403 — abmmhasan, Mar 19 '14 at 08:23

score 0 · Answer 3 · answered Mar 19 '14 at 07:57

like what @Joshua said you would have to sanitize your inputs you could do this like so, (this is not the only way to check validity of the variables)

if($_POST['insert'] == "vulnerability"){
//refresh the page and notify
}
if (isset($_POST['insert'])) {
    if(!isset($_POST['gender']) || strlen($_POST['gender'])<3)
    {
                    header('location:'.$_SERVER['PHP_SELF'].'?error');
                    exit;
    }

    $gender = ($_POST['gender']);
 ...
// INSERT INTO DATABASE
}

You would only want to insert variables into a database once you are sure that the variables are safe or is what is expected, i.e. if there is no validity checking in your php code before you insert into the database a user can use an mysql statement to drop your table or alter your data i.e."TRUNCATE TABLE MY_AWESOME_TABLE". and this would delete all the data in your table (users, passwords etc).

html form selector security vulnerability

3 Answers3