Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Do I have to guard against SQL injection if I used a dropdown?

I understand that you should NEVER trust user input from a form, mainly due to the chance of SQL injection.

However, does this also apply to a form where the only input is from a dropdown(s) (see below)?

I'm saving the $_POST['size'] to a Session which is then used throughout the site to query the various databases (with a mysqli Select query) and any SQL injection would definitely harm (possibly drop) them.

There is no area for typed user input to query the databases, only dropdown(s).

<form action="welcome.php" method="post"> <select name="size">   <option value="All">Select Size</option>    <option value="Large">Large</option>   <option value="Medium">Medium</option>   <option value="Small">Small</option> </select> <input type="submit"> </form> 
like image 599
Tatters Avatar asked Mar 20 '14 13:03

Tatters


People also ask

Does input validation prevent SQL injection?

The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.

Which one is most suitable to defense against SQL injection?

You should always use parameterized statements where available, they are your number one protection against SQL injection. You can see more examples of parameterized statements in various languages in the code samples below.

Is input filtering enough to stop SQL injection?

Is input filtering enough to stop SQL Injection? A common misconception is that input filtering and escaping can prevent SQL Injection. While input filtering can help stop the most trivial of attacks, it does not fix the underlying vulnerability.


1 Answers

Yes you need to protect against this.

Let me show you why, using Firefox's developer console:

i've edited one of the values in the dropdown to be a drop table statement

If you don't cleanse this data, your database will be destroyed. (This might not be a totally valid SQL statement, but I hope I've gotten my point across.)

Just because you've limited what options are available in your dropdown does not mean you've limited the data I can send your server.

If you tried to restrict this further using behaviour on your page, my options include disabling that behaviour, or just writing a custom HTTP request to your server which imitates this form submission anyway. There's a tool called curl used for exactly that, and I think the command to submit this SQL injection anyway would look something like this:

curl --data "size=%27%29%3B%20DROP%20TABLE%20*%3B%20--"  http://www.example.com/profile/save 

(This might not be a totally valid curl command, but again, I hope I've gotten my point across.)

So, I'll reiterate:

NEVER trust user input. ALWAYS protect yourself.

Don't assume any user input is ever safe. It's potentially unsafe even if it arrives through some means other than a form. None of it is ever trustworthy enough to forgo protecting yourself from SQL injection.

like image 91
doppelgreener Avatar answered Oct 21 '22 16:10

doppelgreener