Page 1 of 1

Why isnt this working?! PHP Noob, im sure..

Posted: Wed Apr 28, 2010 10:54 am
by bla5e

Code: Select all

 if (is_string($_POST['category'])) {
      //Add new category to ideamap_categories                                                                                                               
      $sql = pg_query($db,"INSERT INTO categories (category) VALUES ('{$_POST['category']}')");
      if (!$sql) {
        echo '<script type="text/javascript"> alert("Error while adding the new category to the database."); </script>';
      } else {
        $getcategoryid = pg_query($db,"SELECT id FROM categories WHERE category='{$_POST['category']}'");
        $categoryid = pg_fetch_result($getcategoryid,0);
      }
    } else if (is_numeric($_POST['category'])) {
      $categoryid = $_POST['category'];
    }

Code: Select all

function addidea() {
      var topic = $('#topic').val();
      var idea = $('#idea').val();
      if ( $('#categorytb').val() == '' ) {
        var category = $('#categorydd').val();
      } else if ( $('#categorydd').val() == '' ) {
        var category = $('#categorytb').val();
      }
      var poststr = 'add=t&topic='+topic+'&category='+category+'&idea='+idea;
      $.post('/addit/', poststr, function(data) {  $('#dowork').html(data);  });
    }
I have a drop down that is populated with the categories already in the database, or a textbox to add a new category. It makes new ones fine, but if one is selected from the drop down (value=categoryID#) it thinks its a string and adds it back to the database. The javascript is what posts to the PHP

Re: Why isnt this working?! PHP Noob, im sure..

Posted: Wed Apr 28, 2010 11:24 am
by phu
All POST values are passed back to PHP as strings, regardless of their 'actual' type.

Your options here are either to use different field names for the text field and the dropdown (this would be my choice) or check for numeric values, for example:

Code: Select all

if ( (int)$x == $x )
{ ... }
However, this leaves the possibility of the user entering an integer in the text field that does not link up to a valid category (another reason to use a separate field for entering text for a new category). Of course, either way, you should be doing type checking and validation on the category ID being submitted.

More importantly: DO NOT embed POST variables directly in queries like that! For postgres, use pg_escape_string to make sure you're not opening yourself up to SQL injection attacks.

Re: Why isnt this working?! PHP Noob, im sure..

Posted: Wed Apr 28, 2010 12:22 pm
by bla5e
Dont worry I have my pg escape in there

Code: Select all

foreach($_POST as $key=>$value){ $_POST[$key] = pg_escape_string(stripslashes($value)); }
but for the answer to the thread, i figured out that this works

Code: Select all

if (preg_replace('/[0-9]/', '', $_POST['category']) != '') {
 // Replace all the numbers with blank spaces, if its not empty.. its txt
} else if (is_numeric($_POST['category'])) {
  // Is number
} else {
 //Should NEVER happen
}
Not perfect, but for my case it should never fail.

Re: Why isnt this working?! PHP Noob, im sure..

Posted: Wed Apr 28, 2010 1:20 pm
by phu
bla5e wrote:Not perfect, but for my case it should never fail.
It may not technically fail... but as I mentioned, it won't catch invalid numeric input (floats will return true), nor will it catch submission of invalid integers (-9, for instance), at which point your database has become inconsistent.

Of course, this is from a mySQL standpoint; if you're actually using foreign key fields in postgres and they're validating input, then your queries do actually have a chance of failing.