stackoom
  简体   繁体   中英

PHP select option value protection

 原文  2018-05-22 22:11:00       php/ mysqli/ smarty

Question

I created sample select option code inside file tpl for use in the submission form to database, but I do not have enough experience to know if the field value {$submit_field1} is protected!

PHP 

$main_smarty->assign('Tags_Allow', htmlspecialchars($Tags_Allow));
$main_smarty->assign('submit_field1', $content->field1);
if(isset($_POST['field1'])){$content->field1 = sanitize($_POST['field1'], 4, $Tags_Allow);}

    function sanitize($var, $santype = 1, $allowable_tags = ''){
        if ($santype == 1) {
            return strip_tags($var, $allowable_tags = '');
        }
        elseif ($santype == 2) {
            return htmlentities(strip_tags($var, $allowable_tags),ENT_QUOTES,'UTF-8');
        }
        elseif ($santype == 3) {
            return addslashes(strip_tags($var, $allowable_tags));
        }
        elseif ($santype == 4) {
            return stripslashes(preg_replace_callback('/<([^>]+)>/is', 
        function($m) { 
            return '<'.sanitize($m[1],5).'>';
            }, strip_tags($var, $allowable_tags)));
        }
        elseif ($santype == 5) {
            return preg_replace_callback('/\son\w+\s*=/is',
        function($m) {
            return '';
            },$var);
        }
    }

Template tpl 

<select id="country" name="field1">
<option value="{$submit_field1}">Please Select</option>
<option value="United State">
United State
</option>
<option value="France">
France
</option>
<option value="Russia">
Russia
</option>
</select>

Is there anything else to be done for protect value that's inserted into {$submit_field1} from SQL Injection Hacks, how to verify on input that it's acceptable?

1 answers

solution1
 0 ACCPTED  2018-05-22 22:36:08

If the question is: "How do I make sure the value that's inserted into {$submit_field1} is protected, meaning it is only a value we set and not from someone changing the value, then I would verify on input that it's acceptable.

You can check this by testing the value against an array of approved values when the form is submitted: 

$values = [];
$values = ["United States","France","Russia"];
if (in_array($_POST['field1'], $values)) {
    // Allow the form to submit
} else {
    // Tell the user it's not allowed
}

If that's not really what you're looking for, explain what you mean by "protected" a little more please.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question PHP - If select option value equals Select Option inside value with php Select Option Not Accepting a PHP as Value php select option name and value PHP get select option value Getting value of select option php PHP Select Option Value is wrong select option value send to php file with ajax php - select option value not passed to post PHP - SAVE select option value AFTER submission
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM