Skip navigation
Currently Being Moderated

Filtering POST List Menu results

Aug 13, 2012 9:28 AM

I am filtering input to protect against attack and confirm values are correct prior to database entry, at the moment this is what my code does and it works.

 

// filter POST type

$sanitized = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING);

$_POST['type'] = trim($sanitized);

// make sure it is of an expected value

$typearray = array("0", "apt", "cor", "dup", "far", "rui", "tow", "vil", "bun", "car", "cav", "fin", "gol", "lan", "log", "pen", "vill", "bus", "com");

// if not expected value then redirect to custom error page that basically says database is unavailable at this time please try later

if (!in_array($_POST['type'], $typearray)) {

header("Location: $redirect_unavailable");

exit;

}

// item from menu not selected redisplay options with error on page

if ($_POST['type'] == '0') {

$error['errtype'] = 'Please select a type';

}

 

However, what I am unsure of is when attacks occur, does a user (including a genuine user) need to be using the form for an attack to occur, or can injections happen just because my pages are out there??

What I am trying to get at is if a genuine user was selecting from the list menu and made their selection but some other program was injecting stuff without their knowledge then after stripping script and HTML tags, could my code may still have other stuff within POST['type']  as well as the expected value? if so I would not want to be sending a genuine user to my custom error page when they had done nothing wrong, therefore was trying to work out how to filter my list menus when I know exactly what the values should be to remove EVERYTHING except the real value. The other thing is I am not even sure that this is necessary as it may well be that after removing script and HTML tags there would not be anything else except the real value left. Hope you see what I mean.

If it is wise to filter everything else except the expected how would I got about doing this?

As always I much appreciate any help.

Thank you in advance.

 
Replies

More Like This

  • Retrieving data ...

Bookmarked By (0)

Answers + Points = Status

  • 10 points awarded for Correct Answers
  • 5 points awarded for Helpful Answers
  • 10,000+ points
  • 1,001-10,000 points
  • 501-1,000 points
  • 5-500 points