6

Using PHP and MySQLi I have a simple form with 4 HTML 5 Dropdown Select list inputs. Now wondering do I still have to use Prepared Statement to secure my database? Am I still in the risk of SQL Injection issues? Or is there any other type of risk for using this type of inputs. Thanks

Philip G
  • 4,098
  • 2
  • 22
  • 41
Suffii
  • 5,694
  • 15
  • 55
  • 92
  • 1
    I really don't understand how this question got that much upvotes despite the fact that the two first results of a [Google search](https://www.google.fr/search?q=sql+injection+dropdown&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a&channel=sb&gfe_rd=cr&ei=rqQMVJPvBpGDcOqcgvAG) already answer it and that the answer is trivial and boils down to : [**never trust user input**](http://stackoverflow.com/questions/2794016/what-should-every-programmer-know-about-security). –  Sep 07 '14 at 18:34
  • Right-click your select box in Chrome and click 'Inspect element'. Then feel free to change the values to whatever you like and submit the form. – rybo111 Sep 07 '14 at 18:44

1 Answers1

9

You are still wide open for an injection attack since the value inserted through your select box could easly be modifed by the end user.

If you have a good validation server side, then doing it without prepared statement would work.

With good i mean something like this: 

$array = Array("all", "your", "possible", "values", "from", "Select boxes");
if(in_array ($_POST['selectbox'], $array)){
      //Mysql statements etc....
}

Directly inserting user input is NEVER a good idea. You should never trust the end user!

Philip G
  • 4,098
  • 2
  • 22
  • 41
  • Thanks Philip for editing and replying to question. Honestly doing the SQL injection on inputs like text or email make sense to me but I can't understand how inputs like checkboxes radios and select boxes can be hacked! – Suffii Sep 07 '14 at 16:35
  • For someone wanting to hurt your site: Modifying the values through selectboxes is almost as easy like puting it in through text input fields. – Philip G Sep 07 '14 at 16:37
  • Sure but I have to wait 3 more minutes! To accept the answer – Suffii Sep 07 '14 at 16:40
  • 2
    @Suffii - forms can easily be modified by users (try Firebug or Chrome Developer Console)... or they could just create a form on a separate site and post to your server. There are lots of ways to do it: "never trust the user" is good advice. – Ben D Sep 07 '14 at 16:40