CodingForums.com - View Single Post

firepages · 11-16-2012, 12:55 AM

OK, with you now.
Like you said the user can only select from one of the dropdown boxes so in theory you can only ever get one of your pre-determined values.

That said, if someone was to create a POST request to your webpage via CURL or simply from creating their own form its possible they could add their own options so you need to be aware of that.

Normally you would counter that by ensuring that the POST data came from your server and assuming that ALL user input is potentially evil.
You could check that the incoming product_options is one of your predetermined values or run a filter_var() or more regex to check its a string etc, in your case its probably best to check for one of your predetermined values.

11-16-2012, 12:55 AM	PM User \| #15
firepages Super Moderator Join Date: May 2002 Location: Perth Australia Posts: 3,942 Thanks: 7 Thanked 82 Times in 81 Posts	OK, with you now. Like you said the user can only select from one of the dropdown boxes so in theory you can only ever get one of your pre-determined values. That said, if someone was to create a POST request to your webpage via CURL or simply from creating their own form its possible they could add their own options so you need to be aware of that. Normally you would counter that by ensuring that the POST data came from your server and assuming that ALL user input is potentially evil. You could check that the incoming product_options is one of your predetermined values or run a filter_var() or more regex to check its a string etc, in your case its probably best to check for one of your predetermined values. __________________ resistance is... MVC is the current buzz in web application architectures. It comes from event-driven desktop application design and doesn't fit into web application design very well. But luckily nobody really knows what MVC means, so we can call our presentation layer separation mechanism MVC and move on. (Rasmus Lerdorf)