3 Replies Latest reply on Aug 16, 2012 11:49 AM by tessimon

    Filtering POST List Menu results


      I am filtering input to protect against attack and confirm values are correct prior to database entry, at the moment this is what my code does and it works.


      // filter POST type

      $sanitized = filter_input(INPUT_POST, 'type', FILTER_SANITIZE_STRING);

      $_POST['type'] = trim($sanitized);

      // make sure it is of an expected value

      $typearray = array("0", "apt", "cor", "dup", "far", "rui", "tow", "vil", "bun", "car", "cav", "fin", "gol", "lan", "log", "pen", "vill", "bus", "com");

      // if not expected value then redirect to custom error page that basically says database is unavailable at this time please try later

      if (!in_array($_POST['type'], $typearray)) {

      header("Location: $redirect_unavailable");



      // item from menu not selected redisplay options with error on page

      if ($_POST['type'] == '0') {

      $error['errtype'] = 'Please select a type';



      However, what I am unsure of is when attacks occur, does a user (including a genuine user) need to be using the form for an attack to occur, or can injections happen just because my pages are out there??

      What I am trying to get at is if a genuine user was selecting from the list menu and made their selection but some other program was injecting stuff without their knowledge then after stripping script and HTML tags, could my code may still have other stuff within POST['type']  as well as the expected value? if so I would not want to be sending a genuine user to my custom error page when they had done nothing wrong, therefore was trying to work out how to filter my list menus when I know exactly what the values should be to remove EVERYTHING except the real value. The other thing is I am not even sure that this is necessary as it may well be that after removing script and HTML tags there would not be anything else except the real value left. Hope you see what I mean.

      If it is wise to filter everything else except the expected how would I got about doing this?

      As always I much appreciate any help.

      Thank you in advance.

        • 1. Re: Filtering POST List Menu results
          tessimon Level 1

          Still me trying to filter my list menu to remove everything except the expected values.

          I have come up with an idea but struggling to make it work, any help would be much appreciated.

          I am trying to use something along the lines of:


          $expectedRegex = array ("0", "1", "2", "N/A", "cor", "vil");

          The expected values could be letters, words, or N/A, and I want to match them exactly and filter out everyting esle so a regex to check for letters and numbers is not what I am looking for. Writing the regex to do this is causing me problems. (I would then insert the regex into the code below:


          $sanitized = filter_input(INPUT_POST, '$var', FILTER_VALIDATE_REGEXP, array('options' => array('regexp' => '/^ $expectedRegex /')));


          Perhaps there is a better way to do this?, or I am on the right lines but just need help with the regex code?

          All help gratefully received.

          • 2. Re: Filtering POST List Menu results
            tessimon Level 1

            Yes me again, still trying to work this out.

            My last idea failed!

            I used the regex filter on the expected letters and numbers only, not quite what I was after but as close as I could get it but rather than filtereing out everything except expected values and returning the correct exact value if I tested it with the expected value and some script tags and some other nonsense within the script tags then the regex seems to return false and doesn't keep the expected value, the only time it keeps the expected value is if only the expected value is sent.

            Been doing this 3 days now, so loosing the plot a bit.


            • 3. Re: Filtering POST List Menu results
              tessimon Level 1

              And again!

              I have now come up with a work around:

              // sanitize script and HTML tags

              $sanitized = filter_input(INPUT_POST, '$var', FILTER_SANITIZE_STRING);

              $_POST['$var'] = trim($sanitized);

              // check against expected array

              $expectedarray = array("0", "1", "2", "3", "4", "5", "6+", "N/A");

              // if the sanitised variable still has 'stuff' besides expected set it to 0 which will

              // cretae an error and re present the page instead of redirecting to custom error page

              if (!in_array($_POST['$var'], $expectedarray)) {

              $_POST['$var'] = "0";


              if ($_POST['$var'] == '0') {

              $error['errone'] = 'Please select from the menu';


              Not quite what I was after but does have the same desired effect, almost, it hopefully protects my form yet allow a genuine user to continue with the form.


              Going back to my first post on this query, answers to my questions regarding how attacks occurr would still be much appreciated, and of course any improvements to my script a much added bonus.