is there any chance of sql injection through selectbox( dynamically created or static)

views:

answers:

is there any chance of sql injection through selectbox( dynamically created or static)

Hello All,

i want to know that is there any chance of SQL injection via selectbox options? if yes then will u please show some demonstration(or refer any link). and also tell me how do we prevent sql injection in selectbox.(using PHP MYSQL)

one more: if i create a selectbox dynamically( based on options of another select box) then is there any chance of SQLinjection?

Thanking you.

+7 A:

Yes. The attacker can just make up her own HTML form and post it to your URL. There are even a plugin to Firefox (Web Developer Toolbar) which can change the select field to a textbox on any page.

You can never trust data sent by the browser ($_GET, $_POST, $_COOKIE, $_REQUEST). Always sanitize your input.

Emil Vikström 2010-05-21 05:16:10

@Emil, that addon doesn't change any selectbox to textbox...as far as i know( i m using that addon since 6 months)

diEcho 2010-05-21 05:31:30

@I Like PHP. It still doesn't make him wrong about his answer, "yes"

Thorpe Obazee 2010-05-21 06:25:43

I Like PHP, check under "Forms -> Convert Select Elements To Text Inputs".

Emil Vikström 2010-05-21 06:46:21

Thank you for information

diEcho 2010-05-24 04:55:22

+2 A:

Yes, there is still a chance of SQL injection with a select box. Upon postback, the client can actually put anything they like in the field for the select box, it doesn't have to be one of the values in the list.

You should always be validating your input, no matter where it comes from. Now, apart from the "standard" defences against SQL injection (e.g. parameterised queries, etc), with a select box you can add an extra check that the value posted back was actually one of the values that we in the list in the first place (this is assuming that you don't have javascript on the client that modifies the list of possible values, of course).

Dean Harding 2010-05-21 05:17:59

Agreed - Firebug lets me change the values of fields that I could then post. I would always use mysql_real_escape_string or if you're expect numerical values from the select box you could always do (int)$_POST['foo']

niggles 2010-05-21 06:37:35

The injection is not done through the form, but through the PHP that handles the form. A person can send any arbitrary data as a name/value pair to your code and you would have no way of knowing whether it came from a select box, an input field, or was just made up on the spot. Always validate any data that comes from a form. Always assume that it is compromised.

A select box does help in that you know what values should be sent. If a value sent is not in that small set, then you know that something funny is going on and you can discard all of the input safely and give an error. It is good to verify everything that comes in to your code and out of it. Otherwise, you are setting yourself up for trouble, perhaps even by something that you did by accident.

kainosnous 2010-05-21 06:28:26

ansaurus

tags:

views:

answers:

is there any chance of sql injection through selectbox( dynamically created or static)

related questions