Should I secure my radio buttons if not interacting with a database?

maxwell_

I am trying to build a survey web form with five groups of HTML radio buttons,
when the form is submitted the values are emailed via the php mail() function,
no database involved.
I would like to know if I should still try to sanitize the submitted values in some way,
and also if the form is vulnerable to security threats.

Regards Maxwell

NogDog

Since radio buttons will return whatever values you assign them, I would just confirm that the values received are members of that set. You could define the values in one place (database, class, json file, hard-coded array, whatever), and use that source both to build the form and then to validate the submission.

bradgrafelman

Radio buttons are no different than any other form field (dropdown selection box, text input, hidden input, etc.). So, if there are reasons to sanitize the others, then yes, the same would apply to radio buttons.

"Vulnerable to security threats" is such a broad, nebulous phrase that one could easily say yes, of course it is vulnerable. Are you sending the e-mails as HTML or plain text? If the former, someone could inject their own HTML code into the message, for example, if you weren't sanitizing it at all.