Escaping user input

Forum Moderators: coopster

Message Too Old, No Replies

Escaping user input

Do you need it for select lists?

daosmith

12:41 pm on Jan 6, 2004 (gmt 0)

Just wondered whether it is really necessary to call addslashes() or similar on user input when it originates entirely from select lists, radio buttons, check boxes and the like. I can understand the need to be careful with free text input, but when the user is constrained to selecting from predetermined options?

To put it another way, is there a way to modify the form data after submission but before it is processed by the server?

coopster

3:19 pm on Jan 6, 2004 (gmt 0)

Sounds to me like you might want to read a bit about Magic Quotes [webmasterworld.com]. Also, if the lists are generated dynamically from data that is maintained by the user, your list data just may need to be escaped, depending on the values you allow them to enter. For example, you have a drop-down list of publishing companies and your end user is allowed to maintain the data that populates that drop-down list. The user enters a publisher such as O'Reilly...see where it's going?

willybfriendly

3:22 pm on Jan 6, 2004 (gmt 0)

To put it another way, is there a way to modify the form data after submission but before it is processed by the server?

It is possible to modify the form, and then submit it. The user could effectively submit whatever they wanted via form by doing this. Always best to distrust information coming from the outside.

WBF