Simple Question [Archive] - WebDeveloper.com

Click to See Complete Forum and Search --> : Simple Question

oo7ml

06-26-2007, 02:59 PM

I have a combo box on my form for Gender

<select style="width: 180px" name="gender" tabindex="8">
<option selected="" value="null">--- Select Gender ---</option>
<option value="F">Female</option>
<option value="M">Male</option>
</select>

What sort of php validation do i need for this combo box.

I already have - if nothing is selected, it alerts the user.

Can you see if you can answer these three questions please:
1. Can someone alter my code and put in something other than what is in the combo box and submit it to my database.
2. Do i need to add mysql_real_escape_string to a combo box (i obviously do if someone can alter my code)
3. Do i need to add a max length validation to the combo box

Thanks for your help

Kyleva2204

06-26-2007, 03:34 PM

<?php

/// validation
if ((isset($_POST['gender'])) && ($_POST['gender'] == 'M' || $_POST['gender'] == 'F')){
/// add to mysql database
}
else echo "You are not male or female?"
?>

This is a simple validation that the user has said they are male or female.

Taschen

06-26-2007, 04:57 PM

1. Can someone alter my code and put in something other than what is in the combo box and submit it to my database.

Yes. The second simplest hack in the world is to create your own form and submit it to someone elses form processor. HTML output to a browser can be modified using Javascript. That's why validating user input (and db output) is so important.

2. Do i need to add mysql_real_escape_string to a combo box (i obviously do if someone can alter my code)

Never a bad idea anyway.

3. Do i need to add a max length validation to the combo box

For the reasons given in "1" never trust user input, always clean and validate before sending to the db layer. Part of this is being aware of input lengths.

Kyleva2204

06-26-2007, 07:37 PM

With the code given, it checks to see if the post is even present, then moves to see if it is either "M" or "F", if not, then it display an error. So if someone put in like "Q", it would display an error.

oo7ml

06-27-2007, 06:14 AM

Thanks guys, but do i need to validate a maximum output. Does my database not handle the maximum output

username = varchar(21) - does that not mean that the database won't accept anything over 21 characters for this field