html form selector security vulnerability

Question

if i have this simple form selector below:

<form id="myform" class="form" role="form" accept-charset="utf-8" method="post" action="/mypage.php">
    <select id="gender" name="gender">
     <option selected="" value=""></option>
     <option value="man">man</option>
     <option value="women">women</option>
    </select>
    <button type="submit" name="insert"> Send </button>
</form>

and this little php code to retrieve data:

    if (isset($_POST['insert'])) {
        if(!isset($_POST['gender']) || strlen($_POST['gender'])<3)
        {
                        header('location:'.$_SERVER['PHP_SELF'].'?error');
                        exit;
        }

        $gender = ($_POST['gender']);
     ...
    // INSERT INTO DATABASE
    }

and now someone with Firebug modify the option value from "man" to "vulnerability" and click submit this new value will be insert into my database and not the previous one.

My question is: how can i prevent this with php language ?

thanks.

Answer 1

Since you have a defined set of possible values, it’s easy to validate the submitted value:

$options = array('', 'man', 'woman');
if (!in_array($_POST['gender'], $options)) {
    // invalid value
}

Answer 2

Your Database part is not given, so I can't assure exactly what solution will be perfect for you. Though, it is better if you use PDO bind system in this case along with some simple if-else logic check.

like this example:

$this->db_connection = new PDO('mysql:host='. DB_HOST .';dbname='. DB_NAME . ';charset=utf8', DB_USER, DB_PASS);

$query_new_user_insert = $this->db_connection->prepare('INSERT INTO users (user_name, user_password_hash, user_email, user_activation_hash, user_registration_ip, user_registration_datetime, usertype, user_fname, user_lname) VALUES(:user_name, :user_password_hash, :user_email, :user_activation_hash, :user_registration_ip, now(), :usertype, :user_fname, :user_lname)');
                
                $query_new_user_insert->bindValue(':user_name', $user_name, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_password_hash', $user_password_hash, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_email', $user_email, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_activation_hash', $user_activation_hash, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_registration_ip', $_SERVER['REMOTE_ADDR'], PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':usertype', $usertype, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_fname', $user_fname, PDO::PARAM_STR);
                $query_new_user_insert->bindValue(':user_lname', $user_lname, PDO::PARAM_STR);
                $query_new_user_insert->execute();

Now you can see here we are binding values. He will never know your variables here. Also, you can use Generated form instead of directly coding one. Also using array for passing data is another good practice too! Check this out: https://blog.stackoverflow.com/2008/06/safe-html-and-xss/

Answer 3

like what @Joshua said you would have to sanitize your inputs you could do this like so, (this is not the only way to check validity of the variables)

if($_POST['insert'] == "vulnerability"){
//refresh the page and notify
}
if (isset($_POST['insert'])) {
    if(!isset($_POST['gender']) || strlen($_POST['gender'])<3)
    {
                    header('location:'.$_SERVER['PHP_SELF'].'?error');
                    exit;
    }

    $gender = ($_POST['gender']);
 ...
// INSERT INTO DATABASE
}

You would only want to insert variables into a database once you are sure that the variables are safe or is what is expected, i.e. if there is no validity checking in your php code before you insert into the database a user can use an mysql statement to drop your table or alter your data i.e."TRUNCATE TABLE MY_AWESOME_TABLE". and this would delete all the data in your table (users, passwords etc).