Web lists-archives.com

Re: [PHP] Do I need to worry about check boxes?





On May 25, 2016, at 1:19 PM, Richard wrote:



Date: Wednesday, May 25, 2016 13:14:26 -0700
From: Jeffry Killen <jekillen@xxxxxxxxxxx>


On May 25, 2016, at 10:15 AM, Jason Pruim wrote:

Hey Everyone,

I have a form that I'm working on, and I'm adding some check boxes
to it,
the check boxes display properly, and work as expected except...
When I
submit the form, it shows that it's in $_POST['chkCom'] for
instance, but
if i try and do a simple:

$chkCom = $_POST['chkCom'];

so I can work on some validation it won't work... Nothing is ever
assigned
to it... Even though

<?PHP var_dump($_POST['chkCom']); ?>

shows the proper value... All I'm looking at doing is running like
HTMLentities on the check box and verifying if it was checked...

I guess the biggest question comes down to do I need to worry about
sanitizing checkbox input? On this form it's just getting emailed
into another web based system that I'm not in control of (Online
helpdesk system).

Is chkCom the name of a checkbox set? Or, is it of a single checkbox
in a set? If it is a single checkbox in a set then the set name
will have the selected value. Other wise, from my experience with
my own stumblings you have a syntax error or a variable miss
spelling somewhere.

Forms can be forged: Values can be altered. Checkboxes can be
altered.
Yes, I would sanitize everything comming from a form.

JK

One way to screen for a valid form submission is to have your script
look ad $_SERVER['HTTP_REFERER'] (and other related $_SERVER variables);
If the referer value is absent or from outside of your domain, reject the form submission
(unless you have an arrangement with another domain to host your form,
in which case you would allow that domain as a valid source of form
submission).

For a checkbox value, you hard code that and can use a switch/case
block to look at the value submitted. Literal and expected possible
values will have case labels. Everything else goes to the default case.

This is more difficult for text and textarea input, of course. But for the
most part elements with a known range of possibilites can use this
approach.



When reading/sanitizing input it's important to remember that while
you may expect the input to come via some form you control there is
nothing that requires that. A user can save your form, change it, and
submit. Or, someone can simply fire hose straight into the script on
your server. [This makes things like js-based client-side validation
particularly amusing.]

Basically you have to assume that any input you are reading can
contain anything -- regardless of your initial intent -- so you need
to sanitize accordingly.



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php



--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php