Web lists-archives.com

Re: [PHP] Do I need to worry about check boxes?





On 26 May 2016 08:37:02 BST, Narcis Garcia <informatica@xxxxxxxxx> wrote:
>As I remember, the value is submitted only if the checkbox is checked.
>
>Are you sure your <form> tag has method="post" ??
>
>
>El 25/05/16 a les 19:15, Jason Pruim ha escrit:
>> Hey Everyone,
>> 
>> I have a form that I'm working on, and I'm adding some check boxes to
>it,
>> the check boxes display properly, and work as expected except... When
>I
>> submit the form, it shows that it's in $_POST['chkCom'] for instance,
>but
>> if i try and do a simple:
>> 
>> $chkCom = $_POST['chkCom'];
>> 
>> so I can work on some validation it won't work... Nothing is ever
>assigned
>> to it... Even though
>> 
>> <?PHP var_dump($_POST['chkCom']); ?>
>> 
>> shows the proper value... All I'm looking at doing is running like
>> HTMLentities on the check box and verifying if it was checked...
>> 
>> I guess the biggest question comes down to do I need to worry about
>> sanitizing checkbox input? On this form it's just getting emailed
>into
>> another web based system that I'm not in control of (Online helpdesk
>> system).
>> 
>> Any info you can give would be greatly appreciated!
>> 
>> For anyone interested here are some basic snippets of code:
>> 
>> <?PHP
>> 
>>  if (!empty($_POST['chkCom'])) {
>> 
>>                         $chkCom = $_POST['chkCom'];
>> 
>>                         echo "chkCom assigned";
>> 
>>                 }else{
>> 
>>                       $chkCom = "Not assigned";
>> 
>>                 }
>> 
>> ?>
>> 
>> 
>> <ul>
>> 
>> <li>Hardware</li>
>> 
>>         <ul>
>> 
>>             <li><input type="checkbox" name="chkCom" value="Mac"
>checked />
>> Mac Based</li>
>> 
>>                 <li><input type="checkbox" name="chkiPad"
>value="iPad"
>> checked> iPad</li>
>> 
>>                 <li><input type="checkbox" name="chkMonitor"
>> value="Monitor"> External Monitor</li>
>> 
>>                 <li>Wireless Mouse</li>
>> 
>>                 <li>iPhone 6</li>
>> 
>>                 <li>Verizon Wireless MIFI</li>
>> 
>>                 <li>Color Multifunction laser printer</li>
>> 
>>         </ul>
>> 
>> <li>Software</li>
>> 
>>         <ul>
>> 
>>             <li>Microsoft Office</li>
>> 
>>                 <li>Dropbox</li>
>> 
>>                 <li>Antivirus</li>
>> 
>>         </ul>
>> </ul>
>> <?PHP
>> 
>> $emailFrom = <<<EMAIL
>> 
>>         -f ${manager}
>> 
>> EMAIL;
>> 
>>         $headers = "X-Mailer: php/" . phpversion();
>> 
>> 
>>         $message ="Employee Name: " .$name. "\r\n";
>> 
>>         $message .= "Department: " .$position. "\r\n";
>> 
>>         $message .= "Manager: " .$manager. "\r\n";
>> 
>>         $message .= "Where will they be working: " .$whereWorking.
>"\r\n";
>> 
>>         $message .= "When will they start: " . $startDate. "\r\n";
>> 
>>         $message .= $startDateErrorMessage;
>> 
>>         $message .= "Will they be in the office for training on their
>first
>> day? " .$training . "\r\n";
>> 
>>         $message .= "Computer: " .$chkCom . "\r\n";
>> 
>>         $message .= "iPad: " . $_POST['chkiPad'] . "\r\n";
>> 
>>         $message .= "Shipping Address: " .$shippingAdd. "\r\n";
>> 
>>         $message .= "Shipping City:  " .$shippingCity. "\r\n";
>> 
>>         $message .= "Shipping State: " .$shippingState. "\r\n";
>> 
>>         $message .= "Shipping Zip: " .$shippingZip. "\r\n";
>> 
>>         $message .= "Current Phone Number: " .$currentPhone . "\r\n";
>> 
>>         $message .= "Notes: " .$notes . "\r\n";
>> 
>>         $message .= $step;
>> 
>>         $message .= $transerFrom;
>> 
>> 
>> 
>>         mail($email, $subject, $message, $headers, $emailFrom);
>> 
>> 
>> ?>
>> 
>> 
>> Actual email output that I'm getting:
>> 
>> Employee Name: Jason
>> Department: LES
>> Manager: My Email
>> Where will they be working: FromHome
>> When will they start: 6/31/16
>> Will they be in the office for training on their first day? No
>> Computer:
>> iPad: iPad
>> Shipping Address: Address
>> Shipping City:  City
>> Shipping State: State
>> Shipping Zip: Zip
>> Current Phone Number: Phone
>> Notes: NOTE NOTES NOTE
>> <ul>
>> <li>Hardware</li>
>>         <ul>
>>              <li><input type="checkbox" name="chkCom" value="Mac"
>checked
>> /> Mac Based</li>
>>                 <li><input type="checkbox" name="chkiPad"
>value="iPad"
>> checked> iPad</li>
>>                 <li><input type="checkbox" name="chkMonitor"
>> value="Monitor"> External Monitor</li>
>>                 <li>Wireless Mouse</li>
>>                 <li>iPhone 6</li>
>>                 <li>Verizon Wireless MIFI</li>
>>                 <li>Color Multifunction laser printer</li>
>>         </ul>
>> <li>Software</li>
>>         <ul>
>>              <li>Microsoft Office</li>
>>                 <li>Dropbox</li>
>>                 <li>Antivirus</li>
>>         </ul>
>> <li>Permissions</li>
>>         <ul>
>>              <li>Add to Appropriate sales list based on region</li>
>>                 <li>Add CRM access with "Sales" as the primary
>group</li>
>>                 <li>Add to ERM on salesman dashboard</li>
>>                 <li>Setup MyContrax Credentials</li>
>>         </ul>
>> <li>Create User record in Active directory on domain controller</li>
>> <li>Create email account</li>
>> </ul>
>> 
>> 
>> 
>> I did a lot of copy/paste so I may have missed a few things with
>it... all
>> the HTML is served in HEREDOC's inside the PHP files, I've broken
>those up
>> into the name form, validation, positions, style, etc and include
>them all
>> at the top. Other than this 1 issue with the check box it works
>perfectly!
>> 
>> Thanks Everyone!
>> 

To answer the bigger question, yes checkboxes do need to be validated on the server.

Any and all user-generated input needs validation (and sometimes sanitisation). This includes form inputs (checkboxes & selects too), file uploads, cookie data, even the requested URL!

Also, it's worth remembering that it's not a good idea to run functions like htmlentities() on data before inserting iit into a database, for example. That function is intended for HTML output, it won't do anything in a DB query except alter the original data (which is not always what you want)

I've written about this before in a coding standards document I put together for the company i work for currently: https://github.com/tmwagency/TMW-PHP-coding-standards

Ash

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php