sanitizing radio input

Do I need to sanitize radio-button data?

Page 1 of 1

7 Replies - 2635 Views - Last Post: 02 April 2010 - 05:54 PM Rate Topic: -----

#1 Guest_ward*


Reputation:

sanitizing radio input

Posted 26 March 2010 - 08:57 PM

Most of the data that a person submits on the website I am designing is integer data that is submitted by radio buttons or checkboxes and being inserted into integer fields in the mySQL database. I believe I read somewhere that it is possible for a person to submit erroneous data even though it is being submitted with a radio button/checkbox. Therefore I have been cleaning this data (htmlcharacters, mysqli_real_escape_string, pattern matching) in my program. However, this seems like unnecessary work for the computer to do, as well as a lot of extra typing for me. Is there any need to clean data if it is being submitted via a radio button or checkbox?

Also, I have a question about the website itself. This is probably not the place to ask this, and it may not be important, but I couldn’t find any other place to go to ask it. All the forums are for specific languages, etc. – none for general questions about the web site. Sorry if I’m being dumb.
The box at the top of the main page (“Thanks for Registering! Let’s get started…”) says to “introduce yourself”, but when I click on that link there does not seem to be any way to do it. A gray box at the top of the list says “You cannot start a new topic”, so it appears that it will not allow me to do. How can I introduce myself? And, more generally, where do I go to ask these “non-technical” questions?

Is This A Good Question/Topic? 0

Replies To: sanitizing radio input

#2 ellisgl  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 9
  • View blog
  • Posts: 161
  • Joined: 10-November 07

Re: sanitizing radio input

Posted 26 March 2010 - 09:09 PM

For check boxes, drop downs and radio buttons, I would have an ENUM type filter, so it can only equal a set value.
Was This Post Helpful? 0
  • +
  • -

#3 CTphpnwb  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3099
  • View blog
  • Posts: 10,887
  • Joined: 08-August 08

Re: sanitizing radio input

Posted 27 March 2010 - 05:20 AM

If you aren't using the data directly in a query then you don't have to worry about it.

<?php

$user_input  = $_GET['some_Button'];

switch($user_input)
{
	case "button1":
		$query = "SELECT * FROM sometable WHERE afield='this button'";
		break;
	case "button2":
		$query = "SELECT * FROM sometable WHERE afield='another button'";
		break;
	default:
		$query = "";
}

if($query != "")
{
$resource = mysql_query($query);
	while($row = mysql_fetch_array($resource))
	{
		// Do something with $row data...
	}
}



In the above example there is nothing that a user can do to 'some_Button' that will create an invalid or unsafe query. Anything they try will likely stop the query from executing at all, or possibly cause one of the valid choices to be used.
Was This Post Helpful? 0
  • +
  • -

#4 Guest_Ward*


Reputation:

Re: sanitizing radio input

Posted 29 March 2010 - 04:06 PM

Regarding filters: I am not familiar with them. They are mentioned only very briefly in only one of my php/mysql books, in association with HTML_Quickform, with which I am not familiar. The example in the book is to change text to upper or lower case. I am not sure how this would apply to integer data being passed from a form. However, the main question is whether it is possible for a malicious user to pass erroneous data through a radio button, checkbox or list box, and therefore whether I should use some method(s) to validate the data. It appears that ellisgl’s answer is, Yes, it should be validated. Is that correct?

I am not sure I understand what CTphpnwb is trying to show in the example. Sorry if I’m being dumb; I am a novice. Yes, the data is used in queries: first, it is inserted into the mysql table, and then that data will be pulled out and used in subsequent queries. The example you are showing appears to be pulling data out of a database. What I want to know is if data needs to be validated before going into the database. Of course, text data needs to be validated, but I am not seeing how anybody can do any damage with a radio button/checkbox/selection-box, and don’t want to make the computer (and myself) do a lot of unnecessary work. Is it standard practice to validate/cleanup data from radio buttons, checkboxes, and selection boxes before inserting it into the database?

Thanks for being patient with a “newbie”.
Was This Post Helpful? 0

#5 ellisgl  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 9
  • View blog
  • Posts: 161
  • Joined: 10-November 07

Re: sanitizing radio input

Posted 29 March 2010 - 05:16 PM

Radio boxes, Drop downs and check boxes should be validated.

So lets say you have a radio button of value of: none, monkey, tree and car so you would validate it by doing something like this:

$values = array('none'   => 1,
                'monkey' => 1,
                'tree'   => 1,
                'car'    => 1);

if(!isset($values[$_GET['radio_button'])) 
 {
    $err[] = "Invalid value for radio button";
 }


Was This Post Helpful? 0
  • +
  • -

#6 Guest_Ward*


Reputation:

Re: sanitizing radio input

Posted 29 March 2010 - 05:54 PM

Thank you, ellisgl, for the clarification and for the code. This is different from any of the code I have used so far. I will try it.

Ward
Was This Post Helpful? 0

#7 Guest_Ward*


Reputation:

Re: sanitizing radio input

Posted 30 March 2010 - 02:25 AM

I have made the code work that was provided, and may use it, but I am also experimenting with other options. I tried using the is_int() and is_numeric() functions to check the data, but they don’t seem to be working. I’d sure like to be able to use these functions if I want them somewhere.


Here is my code:

foreach ($_POST as $value)
{
echo "<br>value is $value";
$isintvalue = is_int($value);
echo "<br> isintvalue is $isintvalue";
$isnumericvalue = is_numeric($value);
echo "<br> isnumericvalue is $isnumericvalue";
if (!is_int($value))
{ $kickout = 1;}
}
if (1 == $kickout)
{ // make some sort of record (email erroneous entry to myself?)
exit('<br>exiting');
}


And here are the results:

value is yy
isintvalue is
isnumericvalue is
value is 2
isintvalue is
isnumericvalue is 1
value is 3
isintvalue is
isnumericvalue is 1
exiting



As you can see, I passed an erroneous (ie, not numeric) value in the first field of the post array. The is_numeric array seems to work okay for the numeric values, but gives no output for the nonnumeric value, and the is_int function doesn’t give any output in either case! The is_int and is_numeric functions should always give a value of either true or false (or 0 or 1) in any case, shouldn’t they? (My php book says “These functions return TRUE if the submitted variable is of a certain type and FALSE otherwise.”) Does anyone know why I am not getting values out of these functions?
(Note: I created a separate file which doesn’t use an array. Both functions produce a “1” if the value is a number, but no output if the value is text.)
Was This Post Helpful? 0

#8 Guest_Ward*


Reputation:

Re: sanitizing radio input

Posted 02 April 2010 - 05:54 PM

Well, I figured out the answer to this one. There are 2 parts. First, the echo statement simply doesn't put out the results of is_int or is_numeric; one must use var_dump to outputs the boolean values. Secondly, data from forms is always passed as strings, even if it is numeric! (I wish my books would explain these things.) is_int only checks, of course, for integer (numeric values), so it will not recognize what appears to be an integer that is passed from a form. Interestingly though, is_numeric recognizes "numeric strings", so it will recognize an integer that is passed as a string! (Once again, I wish the books I use would do a better job of explaining these things.)

One thing I am still confused on, though. What is the purpose of is_int? Ie, why would anyone want to check whether a value is an integer unless it is being passed by a user? If a person writing the program assigns a value to a variable they will already know if it is an integer or not. I should be all set with my code, now, but just for my general education, if anyone would like to explain that, I would love to hear the explanation.

P.S. Nobody ever did explain how to contact dreamincode about general website questions. I am finding that I tend to miss the part where I have to enter the code words. It would be nice if it were displayed in a more obvious manner on the screen. Is there a way to post such suggestions to the website?
Was This Post Helpful? 0

Page 1 of 1