Search code examples
phpsanitization

Sanitize user input in select drop down where the destination is an endpoint

How would I go about sanitizing user input from my select drop-downs, when posting the input via Jquery AJAX to another script to finally sending a post request to an endpoint using curl? Would urlencode in this case be sufficient as I am not inserting this into any database directly, well the endpoint I am sending this data to will obviously insert into a database but its a 3rd party app

view.php

function edit_data_title() {
    var lead_id = $("#LeadID").val();
    var title = $(".title option:selected").val();
    var agent_full_name = $("#agent_full_name").val();
    if (confirm('Are you sure you want to update the Title of this lead?')) {
        $.ajax({
            url: "endpoint.php",
            method: "POST",
            data: {
                lead_id: lead_id,
                title: title,
                agent_full_name: agent_full_name
            },
            dataType: "text",
            success: function(data) {
                //alert(data);
                $('#title_readonly').hide();
                $('#title_cancel').hide();
                $('#title_edit_input').hide();
                $('#title_edit_button').show();
                $("#update_lead_title_result").html(data);
                $('#update_lead_title_result').show();
                $('#title').prop('selectedIndex', 0);
            }
        });
    } else {
        alert('Lead title update cancelled');
        $('#title').prop('selectedIndex', 0);
    }
}

<select name="title" id="title" class="title" onchange="edit_data_title();">
   <option value="">Select an option</option>
   <option value="Dr.">Dr.</option>
   <option value="Hon.">Hon.</option>
   <option value="Mr.">Mr.</option>
   <option value="Mrs.">Mrs.</option>
   <option value="Ms.">Ms.</option>
   <option value="Prof.">Prof.</option>
   <option value="Rev.">Rev.</option>
   <option value="Other">Other</option>
</select>

endpoint.php

$title = $_POST['title'];

$curl_url = "https://endpoint101.com?title=$title";
  $ch = curl_init();
  curl_setopt($ch,CURLOPT_URL, $curl_url);
  curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($ch, CURLOPT_HEADER, 0);
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_VERBOSE, 0);
  $curl_result = curl_exec($ch);
  $curl_info = curl_getinfo($ch);
  $curl_info = json_encode($curl_info);
  curl_close($ch);
Solution

  • You should check server side if the $title value matches one of the options available.

    That's the only condition I could speculate from the input given in your question.

    https://www.php.net/manual/en/function.in-array.php

    $allowed_options = ['','Dr.','Hon.','Mr.','Mrs.','Ms.','Prof.','Rev.','Other'];

//if $title value doesn't match any of the allowed options, exits the script
if (!in_array( $title, $allowed_options, true))
  exit;