I strongly agree with the validating bit. It does not depend on your schema.

It is important to realise that when a form is posted to a server, there is no schema information sent with it. For instance, what you think may be a radio button or check box (and thus an expected string value) can be anything when it is posted from somewhere else.

A contrived example (which I unfortunately have seen happening in the real world): 

<FORM METHOD=post ACTION=/doit.pl>
<INPUT NAME=action TYPE=checkbox VALUE="INSERT INTO table VALUES (1,2,
+3)">
<INPUT TYPE=submit>
</FORM>

[download]

may coerce you into thinking that the value on the server of the field "action" is either the INSERT statement or nothing.

However, anybody in the world with access to Perl and LWP.pm, might easily set up a request to "/doit.pl": 

use LWP::UserAgent;
my $ua = LWP::UserAgent->new;
my $req = HTTP::Request->new(POST => 'http://your.server.com/doit.pl')
+;
$req->content(q{action=DELETE%20FROM%20table});
$ua->request($req); #kaboom, your table is gone

[download]
So, even if you thought you could trust the value of a checkbox, you can't. You always need to check values coming in from the form. Always.

Liz

In reply to Re: Re: Do I have to untaint all user input in a form? by liz
in thread Do I have to untaint all user input in a form? by bradcathey

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.