How would I go about sanitizing user input from my select drop-downs, when posting the input via Jquery AJAX to another script to finally sending a post request to an endpoint using curl? Would urlencode in this case be sufficient as I am not inserting this into any database directly, well the endpoint I am sending this data to will obviously insert into a database but its a 3rd party app
view.php
function edit_data_title() {
var lead_id = $("#LeadID").val();
var title = $(".title option:selected").val();
var agent_full_name = $("#agent_full_name").val();
if (confirm('Are you sure you want to update the Title of this lead?')) {
$.ajax({
url: "endpoint.php",
method: "POST",
data: {
lead_id: lead_id,
title: title,
agent_full_name: agent_full_name
},
dataType: "text",
success: function(data) {
//alert(data);
$('#title_readonly').hide();
$('#title_cancel').hide();
$('#title_edit_input').hide();
$('#title_edit_button').show();
$("#update_lead_title_result").html(data);
$('#update_lead_title_result').show();
$('#title').prop('selectedIndex', 0);
}
});
} else {
alert('Lead title update cancelled');
$('#title').prop('selectedIndex', 0);
}
}
<select name="title" id="title" onchange="edit_data_title();">
<option value="">Select an option</option>
<option value="Dr.">Dr.</option>
<option value="Hon.">Hon.</option>
<option value="Mr.">Mr.</option>
<option value="Mrs.">Mrs.</option>
<option value="Ms.">Ms.</option>
<option value="Prof.">Prof.</option>
<option value="Rev.">Rev.</option>
<option value="Other">Other</option>
</select>
endpoint.php
$title = $_POST['title'];
$curl_url = "https://endpoint101.com?title=$title";
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL, $curl_url);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_VERBOSE, 0);
$curl_result = curl_exec($ch);
$curl_info = curl_getinfo($ch);
$curl_info = json_encode($curl_info);
curl_close($ch);
CodePudding user response:
You should check server side if the $title
value matches one of the options available.
That's the only condition I could speculate from the input given in your question.
https://www.php.net/manual/en/function.in-array.php
$allowed_options = ['','Dr.','Hon.','Mr.','Mrs.','Ms.','Prof.','Rev.','Other'];
//if $title value doesn't match any of the allowed options, exits the script
if (!in_array( $title, $allowed_options, true))
exit;