drop down list validation

Question

I'm working on a web app project (in java; not that it matters) and we have a form with drop down lists and input fields,etc..

Obviously drop down lists are provided because we expect a specific value from a set of values.

So my question is this..does it make sense to ensure the submitted value is in the set of expected values? Or is it acceptable to just assume the correct value is coming across?

There aren't any "errors" that would arise from different values being submitted, but the data store would not be consistent with the business rules/requirements.

Answer 1

You definetly should validate that the submitted value is in the set of expected values. It's trivial to use firebug to submit whatever you want for a dropdown.

Answer 2

Best Practice: Assume that every user is a dirty hacker who has it in for you and will do everything in their power to bring your site down.

Therefore, it is imperative that all data be validated server side.

Hackers don't use your form. They create random form data and submit it via other means. In fact, the hacker doesn't even know what your site does -- Their scanner just wandered across your site and is submitting random stuff.

I use extensive client side validation (c# validators) and validate every field on my forms. That way when a user uses my forms, when the finally hit the server, the data should be good.

But, we still get bad data! It's hacker's probing the site using their own tools.

It's not like we're a good target -- we don't have any financial records exposed to the net and so what? if you get to use our site for free. The issue is that the hackers don't know that, and are probing anyways.