In one of the forms on my website, I have a <select> field like this:

<select name="doorno" required>
            <option></option>
            <option>01</option>
            <option>02</option>
            <option>03</option>
            <option>04</option>
            <option>05</option>
            <option>06</option>
            <option>07</option>
            <option>08</option>
            <option>09</option>
            <option>10</option>
            <option>11</option>
            <option>12</option>
            <option>13</option>
            <option>14</option>
            <option>15</option>
            <option>16</option>
            <option>17</option>
            <option>18</option>
            <option>19</option>
            <option>20</option>
            <option>21</option>
            <option>22</option>
            <option>23</option>
            <option>24</option>
        </select></p>

The user should be able to select numbers between 01 - 24 - right?

But in the table where these entries are stored, I see an entry like:

01,05

How could this have happened? When I try to type into the field I am not able to it - I can only choose one of the options in the list?

Any idea how the user could have managed to enter an option like the one above?

EDIT Based on some of the comments I looked into the backend of the database and found that the user has made multiple selections. So now the question has another related question:

If I do not specify the MULTIPLE attribute in the SELECT element, does it mean a user can overcome the default behaviour of single select?

Easy, the user has edited his DOM from the developer tools or using JavaScript. But fact is, this isn't the user's fault.

It's yours!

You mustn't blindly trust input from the client, you should always validate that what you're expecting (in this case, numbers between 1 and 24), is what you're getting. In this case, it can be easily done with:

$input = (int) $input;
if ($input > 0 && $input <= 24) {

Always validate input. Always.

At least two ways that it could happen: If you have or had another field with the same name in the same form, values from both will be submitted. Also, if you ever had the MULTIPLE attribute on the SELECT tag, multiple values might have been submitted at that time. (Although, for both these examples, how the multiple values get concatenated into the same database value is beyond the scope of this answer...)

If you're asking how it's possible, then it would be quite easy for a user to change the options in the select box from within their browser. Just a case of opening the dev tools and making an edit.

It's also possible for a hacker to post to your site without even using the HTML form, with completely made up data.

You should never trust that data coming from the browser is valid; always validate it again when it gets to your server before saving to the DB or doing anything else with it.