Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Is trim enough for dropdown and checkbox/radiobox when validating form or should I also always use xss_clean?
Is trim enough for dropdown and checkbox/radiobox when validating form or should I also always use xss_clean?
  • El Forum
    Guest
  •  
#1
09-13-2012, 11:56 AM

[eluser]term25[/eluser]
Is trim enough for dropdown and checkbox/radiobox when validating form or should I also always use xss_clean?
  • El Forum
    Guest
  •  
#2
09-15-2012, 07:31 AM

[eluser]term25[/eluser]
Anybody?
  • El Forum
    Guest
  •  
#3
09-17-2012, 07:28 AM

[eluser]boltsabre[/eluser]
Depends on how you have the rest of your application and database set up.

I personally have it, when a checkbox can change a DB column state (ie, if it's checked, set the column to 1, else set it to 0), something like this:

Code:
if(isset($this->input->post('myCheckbox')){
   $checkbox_value = 1;
   // trace ip stuff here if you want to
   if($this->input->post('myCheckbox') !== 1{
      ...
   }
}else{
   $checkbox_value = 0;
}
That way if someone malicious tries to inject some code, or is just playing round with $_POST data it doesn't matter what they try to pass, it just gets set to 1 (this also allows you to trace the IP and potentially block that IP address if you need/want to to.)

If you are not interested in tracing IPs and other stuff, just use native CI validation rules, this should do the trick for a checkbox, but you wont be able to trace the IP of a potential hacker as the form wont pass validation unless it has the correct value:
trim|max_length[1]|is_natural

I think, you'd have to check if 'is_natural' fails if the checkbox is unchecked.

But yes, you should definitely be doing more than just trim!!!
  • El Forum
    Guest
  •  
#4
09-17-2012, 07:52 AM

[eluser]PhilTem[/eluser]
Actually, the values of checkboxes, radios, and dropdowns are defined by you and cannot be altered by any ordinary user. However, you can alter HTML and therefore form data with things like Firebug (though I don't know if this really alters the form data being submitted). Anyway, knowing this fact, you should just check the value of your checkbox, radio, dropdown to be equivalent to any value of the options you were passing to the form so you don't get data that you don't want to have regardless of how you will process this data.

That's how I do it at least Wink
  • El Forum
    Guest
  •  
#5
09-17-2012, 11:14 AM

[eluser]boltsabre[/eluser]
Quote:Actually, the values of checkboxes, radios, and dropdowns are defined by you and cannot be altered by any ordinary user.

Yeah, well I would just throw that statement straight out the window. NEVER TRUST FORM DATA!!! With "out of the box" free hacking softwares, and plugins like tampadata, anyone who wants to can alter what data a form sends.

Quote:Anyway, knowing this fact, you should just check the value of your checkbox, radio, dropdown to be equivalent to any value of the options you were passing to the form
Sounds like a good way to do it! I didn't mention it before, but I often have arrays and stuff holding values of selects and what not, good idea to compare against it.
  • El Forum
    Guest
  •  
#6
09-19-2012, 01:40 AM

[eluser]term25[/eluser]
So, should I use xss_clean or not on checkboxes?
  • El Forum
    Guest
  •  
#7
09-19-2012, 06:07 AM

[eluser]Hampti[/eluser]
Hi,

as all form data easily can be tampered with, and it is not granted that you will implement sufficient checks (like boltsabre suggested)...
-> YES, use xss_clean.

Regards =)




Theme © iAndrew 2016 - Forum software by © MyBB