How to stop users from editing a dropdown value

[Mornincupofhate]

So in HTML, If I'm not mistaken, the user can inspect element the input dropdown and change it to any value they'd like. How do I keep this from happening? Or am I mistaken and this doesn't work?

 

Please no javascript; PHP only.

[HZapperz]

15 minutes ago, Mornincupofhate said:

So in HTML, If I'm not mistaken, the user can inspect element the input dropdown and change it to any value they'd like. How do I keep this from happening? Or am I mistaken and this doesn't work?

 

Please no javascript; PHP only.

From my understanding, if you edit the html through inspect element its only client side. I could be wrong but this has been my experience. 

[Mornincupofhate]

5 minutes ago, HZapperz said:

From my understanding, if you edit the html through inspect element its only client side. I could be wrong but this has been my experience. 

Just tried it on my own page. Can confirm it does change the value to whatever you set it to be.

[unijab]

Where ever you are POSTing the values to.. setup an IF check that will throw an error if the valid values that you want are not the ones submitted.

[Mornincupofhate]

1 minute ago, unijab said:

Where ever you are POSTing the values to.. setup an IF check that will throw an error if the valid values that you want are not the ones submitted.

So what do I do? Just something like this?

 

If ($_POST['someshit'] != "value1" or "value2" or value"3") { die(); }

[Mornincupofhate]

6 minutes ago, Mornincupofhate said:

So what do I do? Just something like this?

 

If ($_POST['someshit'] != "value1" or "value2" or value"3") { die(); }

Also, what if I'm checking an entire array?

[unijab]

you can also do a switch statement..

 

http://php.net/manual/en/control-structures.switch.php

 

[Mornincupofhate]

Just now, unijab said:

you can also do a switch statement..

 

http://php.net/manual/en/control-structures.switch.php

 

What if I'm checking against an entire array?

[unijab]

Im too rusty with PHP to remember much more off the top of my head, haven't used it for about 2 years.

 

Good luck on your search.

[Mornincupofhate]

Just now, unijab said:

Im too rusty with PHP to remember much more off the top of my head, haven't used it for about 2 years.

 

Good luck on your search.

Lol ty

[vorticalbox]

4 hours ago, Mornincupofhate said:

What if I'm checking against an entire array?

loop the array, check if element is valid.

[leodaniel]

You are looking for input validation, as the frontend can always be manipulated and all requests can be forged.

As a rule of thumb: never trust user data, never correct user data! So yes, frontend validation should be done but only to help a (normal) user correcting his input, never assume under any circumstance, that the data from the user can be trusted  

 

So in your case, a very simple solution:

<?php
	/* For Try Catch Block */
    class ValidationException extends \Exception {}	

    try{
        /* Validation */
        $dropdown_input = $_POST['awesome_dropdown'];
        $possible_values = ['Value1','Value2'];
      
        if( ! in_array($dropdown_input,possible_values) ){
            throw new ValidationException('Dropdown value incorrect');
        }
    }
    catch(ValidationException $exception){
        /* Something is not valid! */
        die($exception->getMessage());
    }

    /* Your Input is now Valid! */
    // ...
	

	

 

[Cruorzy]

$array = ['blue', 'orange', 'red'];

if (in_array($_POST['colors'], $array)){
	//code
}

Something more ugly but still works would look like.

[vorticalbox]

6 hours ago, Cruorzy said:

$array = ['blue', 'orange', 'red'];

if (in_array($_POST['colors'], $array)){
	//code
}

Something more ugly but still works would look like.

i like this better is super clear what the code is meant to do. Plus no try / catch. 

[leodaniel]

11 minutes ago, vorticalbox said:

i like this better is super clear what the code is meant to do. Plus no try / catch. 

I disagree, I prefer using Try Catch block for validation because it breaks and moves to the catch statement. So you can handle more complex validations in specific methods and still have it clean. 

On the other hand, if else relies on you pretending when an exception has occurred. For one single validation I agree, If else is fine, but if you use more complex and bigger validations I would go with try catch...

[vorticalbox]

1 hour ago, leodaniel said:

I disagree, I prefer using Try Catch block for validation because it breaks and moves to the catch statement. So you can handle more complex validations in specific methods and still have it clean. 

On the other hand, if else relies on you pretending when an exception has occurred. For one single validation I agree, If else is fine, but if you use more complex and bigger validations I would go with try catch...

why? You do an Is and get a true or false. Catching tries code then fails. I would rather have code that doesn't rely on breaking to verify input. 

[leodaniel]

1 hour ago, vorticalbox said:

why? You do an Is and get a true or false. Catching tries code then fails. I would rather have code that doesn't rely on breaking to verify input. 

Because I don't want any further Execution if the validation fails... why? Because in my opinion you should never correct any user input... the input either comes in the desired form or you reject it and don't execute your code... in my opinion you expect the values to have a certain form and so it should throw an exception if they don't

 

The good thing about Exceptions is that they immediately stop further execution and kick off the error handling (up the call stack until they are catched)