is php or javascript more secure when populating dropdown boxes_问答_开发者

is php or javascript more secure when populating dropdown boxes

开发者 https://www.devze.com 2023-03-21 17:02 出处：网络

Which is better from a security standpoint when populating an HTML select box? Option A: PHP <?php echo \"<select name=\\\"empName\\\" id=\\\"empName\\\" class=\\\"text\\\" style=\\\"width:10e

Which is better from a security standpoint when populating an HTML select box?

Option A: PHP

<?php echo "<select name=\"empName\" id=\"empName\" class=\"text\" style=\"width:10em;\">\r\n";?>
<?php include 'PHPscripts/getEmployeeNamesDB.php'?>
<?php echo "</select>\r\n";?>

getEmployeeNamesDB.php

$dropdown = "";     
$tbl_name="employee"; // Table name 
$result = mysql_query("SELECT CONCAT_WS(' ', firstname, lastname) AS 'wholename', empid FROM     $tbl_name ORDER BY lastname") or die("cannot select result DB.php");       
while($row = mysql_fetch_assoc($result)) {        
    $empid = $row["empid"];         
    $name = $row["whol开发者_开发问答ename"];         
    $dropdown .= "<option value=\"$empid\">$name</option>\r\n"; 
}  
echo $dropdown;

Option B: Javascript

Same information except use an AJAX call to populate a javascript variable. then use javascript to make select statement?

Security is my primary concern but I would also like to know if you can come up with any other concerns I should consider.

There are no security issues concerned when you are trying to populate or generate output, unless a previous user input is involved. The user can, if he chooses so, forge a POST request and easily include options that you have not included in the select box.

Therefore, its when the user submits the data that you should be concerned about security. You should always validate the data after you receive it to see if it is a valid option. For example:

<?php
// Generating the menu
$choices = array('Eggs','Toast','Coffee');
echo "<select name='food'>";

foreach ($choices as $choice) {
    echo "<option>$choice</option>";
}

echo "</select>";

// Then, later, validate when user submits form
if (! in_array($_POST['food'], $choices)) {
    echo "You must select a valid choice.";
}
?>

Also as others have noted, you should use PHP instead of JS as it could be faster and also work for those who have JS turned off.

The only security I see here is you have one more layer to deal with if you go the AJAX route. With PHP its purely a communication between your server scripts. With AJAX you have a communication from the end users browser over the network, which, can be anything. That user can use your JS if they want and supplement the query depending on how your JS builds that query.

On security point they are same. With ajax it may be more easy for design.

No difference for security, but option a will be faster, and simpler. And it will work for people who have javascript turned off.