Question re SQL injection and dropdown boxes

Forum Moderators: coopster

Message Too Old, No Replies

Question re SQL injection and dropdown boxes

Do dropdown boxes offer any protection over text fields

cmendla

5:59 pm on Aug 6, 2008 (gmt 0)

This might be a dumb question..

We have modified the advanced search form on an oscommerce site. All of the additional fields on public side are dropdown boxes, not text input fields.

Does this provide any additional protection from SQL injection attacks? I'm wondering how anyone could run an attack since they can't try to put code in a text field.

Thanks

d40sithui

6:55 pm on Aug 6, 2008 (gmt 0)

I'm wondering how anyone could run an attack since they can't try to put code in a text field.

i'm thinking of a nonlocal script that has your action script as the target. in other words, the attacker can write his own form with the same variable names are yours and submit it from his website to you. you should always filter your data.

StoutFiles

7:47 pm on Aug 6, 2008 (gmt 0)

Form data has to be filtered; browser extensions like Firebug let you edit form source code and submit whatever you want. All entries will need to be checked before used in SQL calls.

Demaestro

8:26 pm on Aug 6, 2008 (gmt 0)

There is no added protection there at all... someone savvy enough to perform an SQL injection is going to be savvy enough to spoof your form.