Possibility of sql injection using check boxes?

Question

On a form that I made I check a lot of checkbooks and set values accordingly. For example, if checkbox1 is check I set $somevalue equal to Yes, else it is equal to No. I later than call $somevalue in an sql query.

Is this secure? I know you're never supposed to trust user input. I am parsing my input boxes with mysqli_escape_string and checking if drop down boxes contain values I expect. I'm just not positive if I have to do anything extra for my check boxes.

checkboxes are not considered as user input. what you need to worry about is actual user input and XSS injection — Funk Forty Niner, Aug 05 '16 at 01:58
This is an example line for a checkbox variable I am setting if (isset ($_POST['delivered_outpatient'])) {$delivered_outpatient='Yes';} else {$delivered_outpatient='No';} — Luke, Aug 05 '16 at 02:01

score 0 · Accepted Answer · answered Aug 05 '16 at 02:02

Sounds like you're doing everything right.

If you have an input string that the user creates, then you should escape the string, however if you're only expecting specific values then you only really need to do the conditional, since once you've verified the text you're dealing with to be "Yes", then you know it doesn't utilize injection.

Possibility of sql injection using check boxes?

1 Answers1