| Re: Validate Radio Buttons? [message #182370 is a reply to message #182369] |
Wed, 31 July 2013 19:00   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 31/07/13 19:20, Twayne wrote:
> Hi all,
>
> I was wondering what the general consensus might be on this:
>
> Should one Validate Radio Buttons for an online website contact form?
>
> I've always thought they needed nothing but validation to see if
> they'd been used or not before accepting them, and sending the user
> back to the website Home Page.
> I've used Referrer to check the pages the visitor came from, gotten
> his IP or proxy identifier IP and used Control Cache and Pragma plus
> $referrer to check that the visitor arrived from the website and
> nowhere else, to try to be sure you can't go back to any previous
> page and find the data still in tact; sessions are always destroyed
> when any error shows up. A counter tells me how many attempts were
> made from the same IP or Proxy and after 3 attempts the visitor is
> banned for a few hours. Two sets of 3 failed attempts will ge him
> banned permanently.
>
> BUT, does any of that negate the need to Validate a Radio Button Click?
> http://phpmaster.com/form-validation-with-php/ seems to think so, but
> the code they suggest isn't exactly simple and it takes a lot of code.
>
> I'm willing to be called wrong; no problem at all.
>
> So, what do YOU think?
>
I think really only you can answer this one.
Think what would happen in a user somehow faked everything and sent out
of bounds data. Or sql injection type code instead of what was supposed
to be in the post variable.
One simple way to get rid of most malware is to cast explictily or
implicitly, all variables to integers,
So for example if you were setting an SQL field to a numeric value based
on user response, I normally would use sprintf to prepare the query with
%d representing an integer value, into an ID or an enumerated field. Out
of bounds data is simply then an error and no further validation is
rquired, unless you want to send the error back to the user, which n te
case of a radio button is pointlss because you woat GET error data
unless they have actively faked the entry.
Any data that falls into a few well defined entries only, is easy to
validate. The problem comes when you allow arbitrary string entry.
Then SQL injection can happen if a really nasty string is concocted, but
even then php supplies tools to sanitise just about anything you throw
at it, up to and including (as I discovered) turning strings into
hecadecimal numbers and inserting THOSE into the database. Assuming you
are working with a database.
One of the best ways to approach design to put on a black hat and try
and crack it yourself. Think when you code 'what would happen if..there
was no data at all, the data contained special characters you really
wouldn't expect?
Another thought is 'don't bother putting bars on the windows if you
leave the front door open' the easiest way to hack a website is to find
the administrative portal and hack past the password. Too many people
leave the default settings in place when they install code written by
others. Don't.
> TIA & Regards,
>
> Twayne`
--
Ineptocracy
(in-ep-toc’-ra-cy) – a system of government where the least capable to lead are elected by the least capable of producing, and where the members of society least likely to sustain themselves or succeed, are rewarded with goods and services paid for by the confiscated wealth of a diminishing number of producers.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]