Web lists-archives.com

Re: [PHP] Do I need to worry about check boxes?

> Date: Wednesday, May 25, 2016 13:14:26 -0700
> From: Jeffry Killen <jekillen@xxxxxxxxxxx>
> On May 25, 2016, at 10:15 AM, Jason Pruim wrote:
>> Hey Everyone,
>> I have a form that I'm working on, and I'm adding some check boxes
>>  to it,
>> the check boxes display properly, and work as expected except...  
>> When I
>> submit the form, it shows that it's in $_POST['chkCom'] for  
>> instance, but
>> if i try and do a simple:
>> $chkCom = $_POST['chkCom'];
>> so I can work on some validation it won't work... Nothing is ever  
>> assigned
>> to it... Even though
>> <?PHP var_dump($_POST['chkCom']); ?>
>> shows the proper value... All I'm looking at doing is running like
>> HTMLentities on the check box and verifying if it was checked...
>> I guess the biggest question comes down to do I need to worry about
>> sanitizing checkbox input? On this form it's just getting emailed
>> into another web based system that I'm not in control of (Online
>> helpdesk system).
> Is chkCom the name of a checkbox set? Or, is it of a single checkbox
> in a set? If it is a single checkbox in a set then the set name
> will have the selected value. Other wise, from my experience with
> my own stumblings you have a syntax error or a variable miss 
> spelling somewhere.
> Forms can be forged: Values can be altered. Checkboxes can be
> altered.
> Yes, I would sanitize everything comming from a form.
> JK

When reading/sanitizing input it's important to remember that while
you may expect the input to come via some form you control there is
nothing that requires that. A user can save your form, change it, and
submit. Or, someone can simply fire hose straight into the script on
your server. [This makes things like js-based client-side validation
particularly amusing.]

Basically you have to assume that any input you are reading can
contain anything -- regardless of your initial intent -- so you need
to sanitize accordingly.

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php