1

After looking through some sites (eg https://www.owasp.org/index.php/Main_Page) I found no EXPLICIT mention of what hazards the following process would open me up to;

A user answers a multiple choice question. Sending a form with the "answer" as a hidden field.

The .php page takes it (validates it to have less than 100 characters), then takes the Correct Answer from the database. It compares the two (using == comparison operator).

then sends

 echo "Wrong! The correct answer is ".$correctAnswer; //a hack presumably will always be wrong!!!

Basically, what damage could there possibly be with letting userinput (up to 100 characters) get stuck into 

$playersAnswer = $_POST['checkAnswer'];

and

 if ($correctAnswer == $playersAnswer){ ....etc

The advantage for me is that I need not worry about any letters/symbols/characters in the user's answer being stripped or converted. Therefore I can use questions with full punctuation, foreign languages and even questions about javascript wwithout fear!

EnglishAdam
  • 1,380
  • 1
  • 19
  • 42
  • 1
    so what is the question exactly? – Tim S. Dec 22 '11 at 10:09
  • "what hazards the following process would open meup to" and "Basically what dammage could there be..." – EnglishAdam Dec 22 '11 at 10:10
  • Voting bad fit. See [the FAQ about the types of questions to be avoided](http://stackoverflow.com/faq#dontask) - `there is no actual problem to be solved: "I’m curious if other people feel like I do."`. The way this is worded, it seems like you've already answered your own question. – Merlyn Morgan-Graham Dec 22 '11 at 10:11
  • The question is "Is there a need to sanitize when user input data is neither outputted nor sent to a database?" which is the title, the rest is just to set the context – EnglishAdam Dec 22 '11 at 10:15
  • @Mario your links address output and not any possible (new) hacks that DON'T rely on html output or mysql queries, i'd read one of them already, thanks though! – EnglishAdam Dec 22 '11 at 10:20
  • @Merlyn that seems ridiculous - doesn't that mean we can't ask whether there is a problem with something if the answer is that there's indeed no problem? Although I see what you mean. Hmm. – Pekka Dec 22 '11 at 10:29
  • @AdamNarbutt: Still kind of reads like a rant to me disguised as a question. Tho if you're asking in earnest I'll take your word on it :) – Merlyn Morgan-Graham Dec 22 '11 at 10:40

1 Answers1

3

If all you do is use the POST variable in a comparison:

$correctAnswer == $playersAnswer

there is no danger to this.

The danger begins where you use the variable - in HTML output, in a database query, in an exec() or eval() command.....

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
  • Ok, that is what I was thinking. Thanks for the clarification. – EnglishAdam Dec 22 '11 at 10:17
  • ...but you are using `$correctAnswer` in the html output and therefore it has to be sanitized and/or encoded (depending on e.g. whether you want to allow html code that is interpreted as such in that variable). – VolkerK Dec 22 '11 at 10:22
  • @VollerK All questions in the database are entered/vetted by us before being entered manually and not via the website, the database itself would have to be hacked to mess around with $correctAnswer. But yes you're right. – EnglishAdam Dec 22 '11 at 10:26
  • @Pekka Why would the following not be dangerous? form name 'answer' value '1; ?> bad code ' so $variable = ['answer']; becomes $variable = 1; ?> bad code etc why isnt this a problem? Thanks for any hep! – EnglishAdam Dec 23 '11 at 19:42
  • @Adam because the `?>` will never be executed in a comparison. It is just a bunch of meaningless characters. It might be a problem if used in `eval()`, for example – Pekka Dec 23 '11 at 20:01
  • @Pekka Thanks again, I always imagined the variable value physically 'replacing' the $value in the code, so i guess that was my naivity and the reason for my question/doubt. Thx and Merry Xmas! – EnglishAdam Dec 23 '11 at 21:50