Can Values Be Injected in a Drop Down List?

Dropdown lists are an HTML/UI construct. There isn’t any such concept in HTTP, which is how the client and the server ultimately talk to one another.

So, while yes, a client could alter the page, that isn’t absolutely required, because there doesn’t actually need to be a page. In the end a client simply sends an HTTP request back to the server and it contains some data, and that data could be the values entered into the HTML form, or it could be arbitrary values chosen at the user’s whim.

The bottom line is, you can’t trust input. Anything sent by the client should be suspect, there’s no guarantee that it’s what you expect, and it must be validated on the server before acceptance.

Leave a Reply

Your email address will not be published. Required fields are marked *