Should we guard against unanticipated user input from dropdown lists? Is it plausible to expect a user to somehow modify a dropdown list to contain values that weren't originally included?
How can they do this and how can we stop it?
+13
A:
Absolutely check for that.
Do something like this pseudo code on the receiving end:
if { posted_value is_element_of($array_of_your_choices) }
//processing code
else {
//prompt them for good input
}
So for example: Your dropdown list is of Primary Colors they'd like their house painted. You'd have (in PHP)
$colors = array('red', 'blue', 'yellow');
if in_array($_POST['color'], $colors)
{ //process this code! dispatch the painters; }
else {echo "sorry, that's not a real color";}
Edit: This is certainly possible. If your values are being submitted via a GET request, then the user can simply enter www.example.com/?price=0 to get a free house. If it's a POST request, it may seem a little more difficult, but it's really not:
curl_setopt($ch, CURLOPT_POSTFIELDS,"price=0");
People could just use cURL to directly manipulate a POST request, in addition to a trivially large number of other clients.
Alex Mcp
2009-11-16 19:16:26
If you are talking about security: Absolutely. Any incoming data can be manipulated freely.
Pekka
2009-11-16 19:18:37
You should do this type of check on both the client and the server as well. On the server to prevent an injection attach like Jeremy Powell recommended and on the client to prevent bad data getting to the server.
ajrawson
2009-11-16 19:22:58
Not even have to use cURL. I could just Firebug into the field and replace text, or use the Web Developer toolbar. Or Transmit. It's really easy with a little bit of know-how.
alex
2010-02-11 23:13:13
+3
A:
A user can simply hand-write a HTTP request which has has filled in malicious data. For GET requests, for example, you may have a "State" dropdown that lists Alabama, Arkansas, etc. He may put http://example.com?state=evilstuff just simply into the browser url bar.
This is easily prevented since you already know exactly what is in the dropdown list. Simply checking to see if the input is in that list or not should be sufficient to prevent against injection-like attacks. If he puts in something other than a valid state name, throw an error.
Jeremy Powell
2009-11-16 19:17:46
+1
A:
When I'm bored, I edit drop-down lists in web sites just for fun. Mostly it just breaks the site, but at least once I could have gotten free or drastically reduced prices on tickets just by playing with the site's hidden fields. (Alas it was for a company I worked for, so I had to instead report the bug.)
Jonathan Allen
2009-11-16 19:20:22
A:
Yes, a malicious user can submit data to your server without ever using your form, and could submit data that's not normally included in your dropdown list. This is a trivial form of attack that's often exploited in the real world.
Always check for valid input!
Rob Pelletier
2009-11-16 19:20:52
+2
A:
This can only be done by modifying the HTTP response. So,
- yes, it can be done and you need to safeguard against it (i.e. check if this can be a security threat and, if yes, validate the input), but
- no, you don't need to bring a "nice" error message, since this cannot happen to a normal user "by accident".
Heinzi
2009-11-16 19:21:14
A:
Some of the other answers are absolutely correct, you MUST validate on the server-side ANY data coming from the user side.
At work, we use tools such as the Firefix plug-in Tamper Data to manipulate and view data thats being posted to the server, after any client-side (javascript) validation has been done. Also, you can even use simple tools such as Firebug to visibly alter drop-down boxes to contain values that weren't put there by the server before submitting it.
MattGWagner
2009-11-16 19:39:34