| Re: Validate Radio Buttons? [message #182378 is a reply to message #182375] |
Thu, 01 August 2013 21:25   |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma:
|
Senior Member |
|
|
On 8/1/2013 4:47 PM, Twayne wrote:
> On 2013-07-31 5:37 PM, Denis McMahon wrote:
>> On Wed, 31 Jul 2013 15:07:17 -0400, Jerry Stuckle wrote:
>>
>>> On 7/31/2013 2:20 PM, Twayne wrote:
>>
>>>> Should one Validate Radio Buttons for an online website contact form?
>>
>>> Good practice means you ALWAYS validate ALL information from the user.
>>> You may have a radio button on your form - but there is no guarantee the
>>> request comes on from your form.
>>
>> As a follow up to Jerry, radio buttons and select lists are probably the
>> easiest elements to validate in the server side code because, by
>> definition, you expect them to be one of a discrete set of values, and if
>> they're not a member of that set of values, then someone is playing silly
>> buggers.
>
> Well ... that's why I thought it wasn't much necessary other than to see
> they were in the range I wanted and weren't empty. They're all
> single-character results, 0 thru 9, and 0 thru 3 in one case, and I
> thought all I needed to do was validate them to be within the ranges I
> specified or throw an error otherwise.
> I wondered though, if errant data came in, would it be possible to
> hurt me before I did the checks on them?
If you don't use the data before validating it, there isn't much bad
data can do (other than maybe a buffer overrun - which would be an
Apache/PHP problem).
> Today I wrote a couple of functions to check things with; one for
> nearly all data and a slightly less stringent one to allow a URL to
> appear within a textarea.
> the major commonly used function consists of
> --------------
> function checkIt_1($data)
> $data = trim($data);
> $data = stripslashes($data);
> $data = strip_tags( $data);
> $data = htmlspecialchars($data);
> return $data;
> -------------
Why are you calling stripslashes()? You should have magic_quotes_gpc()
off (for years now), which makes this function unnecessary (and
potentially harmful by removing slashes it shouldn't).
I'm not sure why you would want to strip the tags then encode the html
characters, but whatever suits your needs.
> With that I'm still able to read any munged text due to the function
> although if the visitor saw it it might be pretty confusing to him. It's
> not an issue to me though. I even run the functions on my SESSIONs data
> when I call it in, just in case it somehow was tainted.
>
Should not be necessary on your $_SESSION array, since that never leaves
the server. You will get back exactly what you store there.
> So ... if I applied that function or one similar to it, would you
> say I've made a step in the right direction or have I wasted my time?
>
Radio buttons need different validation - just check to see if the value
is one of the valid ones for that particular button.
> Is the stripslashes worth the machine cycles or does it just waste
> time?
> I've also thought about using htmlentities but it seems a little
> redundant. Yes?
>
See previous comments. The question is - what exactly are you trying to
accomplish?
> I'm pretty ignorant yet on just how XSS and the various injection
> methods work although I now have a couple of what I think are good sites
> to read through. It's taken me a long time to find easy-to-read
> tutorials or instructions for absolute beginners like I am in that area,
> on those subjects; there's SO much junk around it's sometimes pretty
> difficult to tell whether an author knows what he's talking about or not.
>
Yes, there are a lot of bad tutorials, recommendations and other
documents available on the 'net - much more than there is good
documentation.
>>
>> You could use in_array to check that the value received is in an array of
>> expected values, and then use the value directly; or you could switch on
>> the value received, with a case for each of the expected values. In both
>> cases, you can detect and respond as you feel appropriate for unexpected
>> values.
>>
>
> Arrays are probably a good idea but for me if they're not straight-up
> 1-dimensional arrays I get easily mixed up keeping track of their
> contents. Last time I tried I ended up leaving some holes that even I
> knew better than to do <grin>.
>
A one-dimensional array is fine for this, and is an easy way to validate
the value in a radio button.
> Thanks for all the food for thought, and allowing me to explain a bit
> about what's up.
>
> Anything further anyone has to add here is most welcome. I also respond
> promptly to any & all question/clarifications anyone may want.
>
> Best regards,
>
> Twayne`
>
>
>
>
>
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]