Home » Php » PHP select option value protection

PHP select option value protection

Posted by: admin October 26, 2018 Leave a comment

Questions:

I created sample select option code inside file tpl for use in the submission form to database, but I do not have enough experience to know if the field value {$submit_field1} is protected!

PHP

$main_smarty->assign('Tags_Allow', htmlspecialchars($Tags_Allow));
$main_smarty->assign('submit_field1', $content->field1);
if(isset($_POST['field1'])){$content->field1 = sanitize($_POST['field1'], 4, $Tags_Allow);}

    function sanitize($var, $santype = 1, $allowable_tags = ''){
        if ($santype == 1) {
            return strip_tags($var, $allowable_tags = '');
        }
        elseif ($santype == 2) {
            return htmlentities(strip_tags($var, $allowable_tags),ENT_QUOTES,'UTF-8');
        }
        elseif ($santype == 3) {
            return addslashes(strip_tags($var, $allowable_tags));
        }
        elseif ($santype == 4) {
            return stripslashes(preg_replace_callback('/<([^>]+)>/is', 
        function($m) { 
            return '<'.sanitize($m[1],5).'>';
            }, strip_tags($var, $allowable_tags)));
        }
        elseif ($santype == 5) {
            return preg_replace_callback('/\son\w+\s*=/is',
        function($m) {
            return '';
            },$var);
        }
    }

Template tpl

<select id="country" name="field1">
<option value="{$submit_field1}">Please Select</option>
<option value="United State">
United State
</option>
<option value="France">
France
</option>
<option value="Russia">
Russia
</option>
</select>

Is there anything else to be done for protect value that’s inserted into {$submit_field1} from SQL Injection Hacks, how to verify on input that it’s acceptable?

Answers: