问题
I have read here the mantra "never trust user input" and it makes sense. I can understand that any field that is typed in by the user is suspect. However, what about drop down select fields? Can they be used for any type of injection?
I have sanitized all the fields that allow a user to type in, and also used mysqli prepared statements for insertion into the database.
However, there are three drop-downs in my form and was wondering if I need to do anything about them?
回答1:
Every single element in a website can be altered by a malicious user (hidden fields, divs, styles, ajax calls, you name it...).
That said, if you're already using Prepared Statements, you shouldn't worry too much about SQL Injection because mysql already knows what statements are going to be executed.
Instead you should sanitize all the output that is being rendered in a website.
Let's say that in your form, you're asking what country I live in this way:
<select name="country">
<option value="Mexico">Mexico</option>
<option value="USA">USA</option>
<option value="Canada">Canada</option>
</select>
but I'm a malicious user, and I use Chrome's code inspector to alter your HTML, and I select Mexico, but change its value to
<script type="text/javascript">alert("Hello World");</script>
and if you output that value in another page this way:
Your country is: <?=$country?>
Then you'll be writing:
Your country is:
<script type="text/javascript">alert("Hello World")</script>
and an alert box will pop up with the text "Hello World"
What harm can I make with that you may wonder...
well I can do anything I want with that, I can steal cookies or if that value is public (say that you're displaying that value in your frontpage), then I could redirect your users to another website, change your website's content... whatever I want.
To sanitize your users' output you can use
htmlentities
That will convert, for example, the < > symbols to its respective code: < and >
回答2:
It's very easy for a malicious user to inject data in <select> fields, hidden fields, or anything else. As the mantra says, never trust user input.
回答3:
I would recommend you sanitize all data that comes in from form input. True, the user might not be able to directly edit your field by default, but a cleverly crafted form submission masquerading as yours could potentially allow some malicious code in your script and/or database if you aren't cleaning the incoming data.
回答4:
Using prepared statements and sanitization procedures on select lists might still be a good idea, since most browser's developer tools and inspection modes enable users to modify the values, attributes and properties of HTML elements on the fly. A malicious user might try this trick with a select list item.
回答5:
Many modern browsers come with the capability of source-modification. So yes, any client -> server information can be injection.
But if you're using bind variables for all $_POST or $_GET data, you should be fine.
回答6:
Yes, using simple Javascript within the browser console (which almost all modern browsers have), they can change the value of the select to anything they want. They could also add the HTML for a input text field if they wanted.
And Javascript is just the easiest way to do it, there are loads of other methods to control $_POST variables for a script. Just remember, $_POST and $_GET are user-supplied variables. Don't trust them at all!
回答7:
Injection can be happened during user inputs and they are the one typing the string.
In the case where you are using select, you are the one who define the options and you know for yourself that those options are not going to be the cause of injection.
Well, if the user can define the option, they can use the select for injection attacks.
The good thing to do in your drop-downs is to use the same code that you've used on your inputs to prevent injection attacks. Treat the same in every control as you get the value.
来源:https://stackoverflow.com/questions/18008017/are-drop-down-select-fields-vulnerable-to-any-sort-of-injection