Page 1 of 1
Why isnt this working?! PHP Noob, im sure..
Posted: Wed Apr 28, 2010 10:54 am
by bla5e
Code: Select all
if (is_string($_POST['category'])) {
//Add new category to ideamap_categories
$sql = pg_query($db,"INSERT INTO categories (category) VALUES ('{$_POST['category']}')");
if (!$sql) {
echo '<script type="text/javascript"> alert("Error while adding the new category to the database."); </script>';
} else {
$getcategoryid = pg_query($db,"SELECT id FROM categories WHERE category='{$_POST['category']}'");
$categoryid = pg_fetch_result($getcategoryid,0);
}
} else if (is_numeric($_POST['category'])) {
$categoryid = $_POST['category'];
}
Code: Select all
function addidea() {
var topic = $('#topic').val();
var idea = $('#idea').val();
if ( $('#categorytb').val() == '' ) {
var category = $('#categorydd').val();
} else if ( $('#categorydd').val() == '' ) {
var category = $('#categorytb').val();
}
var poststr = 'add=t&topic='+topic+'&category='+category+'&idea='+idea;
$.post('/addit/', poststr, function(data) { $('#dowork').html(data); });
}
I have a drop down that is populated with the categories already in the database, or a textbox to add a new category. It makes new ones fine, but if one is selected from the drop down (value=categoryID#) it thinks its a string and adds it back to the database. The javascript is what posts to the PHP
Re: Why isnt this working?! PHP Noob, im sure..
Posted: Wed Apr 28, 2010 11:24 am
by phu
All POST values are passed back to PHP as strings, regardless of their 'actual' type.
Your options here are either to use different field names for the text field and the dropdown (this would be my choice) or check for numeric values, for example:
However, this leaves the possibility of the user entering an integer in the text field that does not link up to a valid category (another reason to use a separate field for entering text for a new category). Of course, either way, you should be doing type checking and validation on the category ID being submitted.
More importantly:
DO NOT embed POST variables directly in queries like that! For postgres, use
pg_escape_string to make sure you're not opening yourself up to SQL injection attacks.
Re: Why isnt this working?! PHP Noob, im sure..
Posted: Wed Apr 28, 2010 12:22 pm
by bla5e
Dont worry I have my pg escape in there
Code: Select all
foreach($_POST as $key=>$value){ $_POST[$key] = pg_escape_string(stripslashes($value)); }
but for the answer to the thread, i figured out that this works
Code: Select all
if (preg_replace('/[0-9]/', '', $_POST['category']) != '') {
// Replace all the numbers with blank spaces, if its not empty.. its txt
} else if (is_numeric($_POST['category'])) {
// Is number
} else {
//Should NEVER happen
}
Not perfect, but for my case it should never fail.
Re: Why isnt this working?! PHP Noob, im sure..
Posted: Wed Apr 28, 2010 1:20 pm
by phu
bla5e wrote:Not perfect, but for my case it should never fail.
It may not technically fail... but as I mentioned, it won't catch invalid numeric input (floats will return true), nor will it catch submission of invalid integers (-9, for instance), at which point your database has become inconsistent.
Of course, this is from a mySQL standpoint; if you're actually using foreign key fields in postgres and they're validating input, then your queries do actually have a chance of failing.