Why isnt this working?! PHP Noob, im sure..

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
bla5e
Forum Contributor
Posts: 234
Joined: Tue May 25, 2004 4:28 pm

Why isnt this working?! PHP Noob, im sure..

Post by bla5e »

Code: Select all

 if (is_string($_POST['category'])) {
      //Add new category to ideamap_categories                                                                                                               
      $sql = pg_query($db,"INSERT INTO categories (category) VALUES ('{$_POST['category']}')");
      if (!$sql) {
        echo '<script type="text/javascript"> alert("Error while adding the new category to the database."); </script>';
      } else {
        $getcategoryid = pg_query($db,"SELECT id FROM categories WHERE category='{$_POST['category']}'");
        $categoryid = pg_fetch_result($getcategoryid,0);
      }
    } else if (is_numeric($_POST['category'])) {
      $categoryid = $_POST['category'];
    }

Code: Select all

function addidea() {
      var topic = $('#topic').val();
      var idea = $('#idea').val();
      if ( $('#categorytb').val() == '' ) {
        var category = $('#categorydd').val();
      } else if ( $('#categorydd').val() == '' ) {
        var category = $('#categorytb').val();
      }
      var poststr = 'add=t&topic='+topic+'&category='+category+'&idea='+idea;
      $.post('/addit/', poststr, function(data) {  $('#dowork').html(data);  });
    }
I have a drop down that is populated with the categories already in the database, or a textbox to add a new category. It makes new ones fine, but if one is selected from the drop down (value=categoryID#) it thinks its a string and adds it back to the database. The javascript is what posts to the PHP
phu
Forum Commoner
Posts: 61
Joined: Tue Mar 30, 2010 6:18 pm

Re: Why isnt this working?! PHP Noob, im sure..

Post by phu »

All POST values are passed back to PHP as strings, regardless of their 'actual' type.

Your options here are either to use different field names for the text field and the dropdown (this would be my choice) or check for numeric values, for example:

Code: Select all

if ( (int)$x == $x )
{ ... }
However, this leaves the possibility of the user entering an integer in the text field that does not link up to a valid category (another reason to use a separate field for entering text for a new category). Of course, either way, you should be doing type checking and validation on the category ID being submitted.

More importantly: DO NOT embed POST variables directly in queries like that! For postgres, use pg_escape_string to make sure you're not opening yourself up to SQL injection attacks.
bla5e
Forum Contributor
Posts: 234
Joined: Tue May 25, 2004 4:28 pm

Re: Why isnt this working?! PHP Noob, im sure..

Post by bla5e »

Dont worry I have my pg escape in there

Code: Select all

foreach($_POST as $key=>$value){ $_POST[$key] = pg_escape_string(stripslashes($value)); }
but for the answer to the thread, i figured out that this works

Code: Select all

if (preg_replace('/[0-9]/', '', $_POST['category']) != '') {
 // Replace all the numbers with blank spaces, if its not empty.. its txt
} else if (is_numeric($_POST['category'])) {
  // Is number
} else {
 //Should NEVER happen
}
Not perfect, but for my case it should never fail.
phu
Forum Commoner
Posts: 61
Joined: Tue Mar 30, 2010 6:18 pm

Re: Why isnt this working?! PHP Noob, im sure..

Post by phu »

bla5e wrote:Not perfect, but for my case it should never fail.
It may not technically fail... but as I mentioned, it won't catch invalid numeric input (floats will return true), nor will it catch submission of invalid integers (-9, for instance), at which point your database has become inconsistent.

Of course, this is from a mySQL standpoint; if you're actually using foreign key fields in postgres and they're validating input, then your queries do actually have a chance of failing.
Post Reply