[SOLVED] Is it me or can't this be done in PHP?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ghost007
Forum Commoner
Posts: 49
Joined: Sat Nov 22, 2003 10:10 am

[SOLVED] Is it me or can't this be done in PHP?

Post by ghost007 »

Hi,

I tried to find a solution for days now but couldn't figure it out nor find relative information on the internet so all help will be much appreciated.

The idea:
I allow users to add urls to protect and define a requested user level needed to access these pages. Naturally I want to allow more than 1 page to protect so lets say I defined 3 urls.

See the image for an example of the output in html:
http://www.awix.net/update%20protect%20 ... 0prob.JPEG

The Prob:
=> how to updated in mysql without knowing the var names?

I mean ..
I add all this information to mysql and querry the DB to output data to the user. (untill here no prob :flamed2: BUT ...)

If I now want to allow to edit already entered pages, how can I get the names of my vars as these are defined depending on how many urls the user already entered.

I found out that I can use a while loop to get all the vars posted but even than how can I use them to update the right url and associated level in mysql?

I don't know if this is clear enough so do not hesitate to ask more detais if needed. I also added a print screen of an example output which illustrate what I tried to explain.
IMG: http://www.awix.net/update%20protect%20 ... 0prob.JPEG

thx for all help as it is much needed :)

cheers
Siech
Last edited by ghost007 on Mon Nov 24, 2003 2:30 pm, edited 1 time in total.
Gen-ik
DevNet Resident
Posts: 1059
Joined: Mon Aug 12, 2002 7:08 pm
Location: London. UK.

Post by Gen-ik »

I would love to help but your post has just confused the hell out of me and now I need to go and lay down for half an hour.
Cruzado_Mainfrm
Forum Contributor
Posts: 346
Joined: Sun Jun 15, 2003 11:22 pm
Location: Miami, FL

Post by Cruzado_Mainfrm »

i didn't get it either, do you want to edit the already existing urls and their respective dropdown selection? but you say you don't know the var names, what u mean by variable names in THIS case? u don't have a 'name' attribute for every input field or dropdown? is that what you say?
ghost007
Forum Commoner
Posts: 49
Joined: Sat Nov 22, 2003 10:10 am

thx for fast replies :)

Post by ghost007 »

I'm very sorry for the confusion Gen-ik :roll: :) and I think the prob is that I would have very difficult to explain this in my mother tongue so in english I did my best without success apparantly.

I will try to be a bit more precise.

when a user enters a the url for the first time he will only see the ADD a new url textbox. it's no prob to do this as it's pure html:

Code: Select all

<tr valign="top"> 
            <td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR">Add 
              page: 
              <input name="add_page" type="text" id="add_page" value="" size="51">
              <select name="level" id="level">
                <option value="0" selected>0: User</option>
                <option value="1">1: Viewer</option>
                <option value="2">2: Editor</option>
                <option value="3">3: Power User</option>
                <option value="4">4: Admin</option>
              </select> </td>
          </tr>
so I have a var "add_page" that has the value of the url and a var "level" with the value of the level that the user required. Until here nothing special and no prob.

But now that the user added a url to protect in my mysql table. i will add the code for a filled in text box and a drop down list with a selected level.

to identify the vars I use the ID of my mysql rows as var names.
e.g.:

Code: Select all

<tr valign="top"> 
            <td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR"> 
              1. <input name="P2" type="text" id="P0" value="http://localhost:9000/template/phpguru/fetch/test2.html" size="60">
			  <select name="levelid_2">
			  <option  value="0" >0: User</option>
			  <option  value="1">1: Viewer</option>
			  <option  value="2">2: Editor</option>
			  <option selected value="3">3: Power User</option>
			  <option  value="4">4: Admin</option>
			  <option  value="5">5: Owner</option></select> 
              </td>
          </tr>
all the var names and values that you see in this example are generated from mysql values. and will be different depending how many urls the user has already added.

for example the var name of the textbox for this url is "P2" => this is column ID 2 in my mysql table and should allow me to update the right url if the user updates this url. If he now ADD's a new URL the value of the textbox will be "P3" and so on.

My prob is that I don't know how many urls the user already added so I cannot enter this var names in PHP!
so normaly you would go for a simple:

Code: Select all

<?php
$HTTP_POST_VARS['P2'];
?>
And then update P2 into your table.

But here I cannot enter this in my PHP code as P2 is created dinamicaly dependant of the input of the user.

So is it possible to update vars in mysql from php if their name is not nown when creating the code.

hope this was not just more confusiing

thx
siech
sanyuan
Forum Newbie
Posts: 10
Joined: Sat Nov 22, 2003 8:55 pm
Location: australia

Post by sanyuan »

I think i understand, does this answer your question....

you could do a foreach loop of $HTTP_POST_VARS eg.

Code: Select all

<?php
$ignore_vars = array('aaa','bbb','ccc');
foreach ( $HTTP_POST_VARS as $key => $val )
{
if ( !in_array($key) )
{
/* Do your mysql stuff */
}
}
?>
you could also prefix you field names, and put if(ereg("^PREFIX_",$fieldname)

was this helpful or was i way off ?
?>
sanyuan
Forum Newbie
Posts: 10
Joined: Sat Nov 22, 2003 8:55 pm
Location: australia

Post by sanyuan »

sorry i buggered up the in_array bit.... should be like this

Code: Select all

<?php
if ( !in_array($key, $ignore_vars) ) 

?>
User avatar
infolock
DevNet Resident
Posts: 1708
Joined: Wed Sep 25, 2002 7:47 pm

Post by infolock »

ok, i read this, and i'm gonna atempt to answer it the best that I can from my understandinf of what you are saying..
for example the var name of the textbox for this url is "P2" => this is column ID 2 in my mysql table and should allow me to update the right url if the user updates this url. If he now ADD's a new URL the value of the textbox will be "P3" and so on.

My prob is that I don't know how many urls the user already added so I cannot enter this var names in PHP!
so normaly you would go for a simple:
I'm assuming that you are saying you have a table, and within this table is a field that contains P1, P2, P3, etc, meaning it inc's every time a user adds a URL. So, why not just do a "Select count(field_in_question) from mytable where user = 'User_that_submitted'"; ?

that way, you can get how many times they have submitted urls..

Code: Select all

<?php 
$HTTP_POST_VARS['P2']; 
?>
now, this block of code, i'm not sure what you are wanting to do with it... i have no idea what this is suposed to stand for, so i dunno if it's useful or not. If you are parsing the table based on what the user chooses with this, and want to get a count, then the same reasoning goes for the query i gave you above.

And then update P2 into your table.

But here I cannot enter this in my PHP code as P2 is created dinamicaly dependant of the input of the user.
yes you can. just $myvar = $_POST['p2'];

then a simple query to insert $myvar into mysql would be in order .
So is it possible to update vars in mysql from php if their name is not nown when creating the code.

hope this was not just more confusiing

thx
siech
i'm not sure what you are saying here. are you asking if it's possible to update to a table when you are unsure what the fields are? if so, no. you have to know what fields to insert into a table before you can add it.

or are you asking if it's possible to update a table with values from a variable without knowing what values they are submitting? this would be yes, though i don't know why you would want to. the reason for tables is to sort data and make it easier to search for, so if you have no idea what content is gonna be in that table, what's the use of saving it?


dunno, i'm sorry that you don't speak english very well as you sound like you know what youa re doing with php, it's just trying to decypher your problem into readable english that is hampering our ability to help you out :(

hope that helped in some way. otherwise, just keep trying and eventually we'll get what you are trying to say, and possibly even solve the problem for ya :P
ghost007
Forum Commoner
Posts: 49
Joined: Sat Nov 22, 2003 10:10 am

Wow thx for great replies!

Post by ghost007 »

thx a lot for these great replies that rely got me into the right direction!

Ok after a lot of testing I have this:

Code: Select all

<?php
		while(list($key,$value)= each($_GET)){
			if(ereg("^url_",$key) || ereg("^levelid_",$key) ) {
				$urlid = ereg_replace ("^url_","",$key);
			echo $key ."=". $value." Where= ".$urlid."<br>";
			}
		}

?>
NOTE: For testing purpose I echo to html so I can check the contents of the vars but naturaly once I have the right output this echo will be changed to an update query.

I I run this code my output is almost what I need so I hope this code example will make my objective clear now.

What I do in the code above:
1) Use the while loop to get all the vars posted (equal as the foreach you showed me Sanyuan thx);
2) i use the ereg function to filter out the GET params that I want to use in my update querry (thx for the tip btw :) )
3) I filter out the static part "url_id" and save only the dinamicall part in the var $urlid so I can use this var in my WHERE clause of the mysql querry (this is the id of the row I want to update).
4) I output to html (this will be my update query;

I still have a prob:
Well this is the output to html:

url_2=http://localhost:9000/template/phpguru/fetch/test2.html Where= 2
levelid_2=1 Where= levelid_2
url_3=http://www.test.com Where= 3
levelid_3=2 Where= levelid_3
url_4=http://www.google.com Where= 4
levelid_4=3 Where= levelid_4

<END OF OUTPUT>

so I'm really close => URL is OK and WHERE is OK but I just have to find a way to get the value of levelid in another var (for the moment it's stuck in the var "Key = Value".

I'm still testing out to find a solution but if one of you masterbrains see the solution all help is still most appreciated.

Anyway thx a lot sanyuan and infolock for your patience and help it's very cool 8)

siech
sanyuan
Forum Newbie
Posts: 10
Joined: Sat Nov 22, 2003 8:55 pm
Location: australia

Post by sanyuan »

Tried and tested 8), give it a go, it worked for me !

Code: Select all

<?php
		if ( isset($_POST) )
	{
		/* Set Variables */
		$allow 				= array('url','levelid');
		$buid_update 		= array();
		/* Loop through post array */
		while(list($key, $update_value)= each($_POST))
		{ 
			// If key has an underscore in it
			if ( strstr ($key,"_") )
			{
				// Expode the key so we get your prefix on 'left' and dynamic value on 'right'
				list($fieldname, $record_id) = explode("_",$key);
				// Uses the allow array to filter what fields to update in MySQL database
				if ( in_array ( $fieldname, $allow  ) )
					$buid_update[$record_id][] = " `$fieldname` = '$update_value' ";
			}
		} 
		/* created update array to do MySQL update */
		foreach($buid_update as $record_id => $update_array)
		{
			$do_query = "UPDATE `table` SET ". implode(", ", $update_array)." WHERE ID = '$record_id'";
			echo "MySQL Query : $do_query<BR>";
		}
	}
?>
This is the output:

Code: Select all

MySQL Query : UPDATE `table` SET `url` = 'http://localhost:9000/template/phpguru/fetch/test2.html' , `levelid` = '3' WHERE ID = '1'
MySQL Query : UPDATE `table` SET `url` = 'http://test2' , `levelid` = '1' WHERE ID = '2'
MySQL Query : UPDATE `table` SET `url` = 'http://test4' , `levelid` = '5' WHERE ID = '3'
This is the HTML I tested it with :

Code: Select all

&lt;form action="" method="post"&gt;
&lt;table width="100%" border="0" cellspacing="0" cellpadding="0"&gt;
&lt;tr valign="top"&gt; 
&lt;td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR"&gt; 
1. 
&lt;input name="url_1" type="text" id="P0" value="http://localhost:9000/template/phpguru/fetch/test2.html" size="60"&gt;
&lt;select name="levelid_1" id="levelid_1"&gt;
&lt;option  value="0" &gt;0: User&lt;/option&gt;
&lt;option  value="1"&gt;1: Viewer&lt;/option&gt;
&lt;option  value="2"&gt;2: Editor&lt;/option&gt;
&lt;option selected value="3"&gt;3: Power User&lt;/option&gt;
&lt;option  value="4"&gt;4: Admin&lt;/option&gt;
&lt;option  value="5"&gt;5: Owner&lt;/option&gt;
&lt;/select&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr valign="top"&gt;
&lt;td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR"&gt;2. 
&lt;input name="url_2" type="text" id="P0" value="http://test2" size="60"&gt;
&lt;select name="levelid_2"&gt;
&lt;option  value="0" &gt;0: User&lt;/option&gt;
&lt;option  value="1" selected&gt;1: Viewer&lt;/option&gt;
&lt;option  value="2"&gt;2: Editor&lt;/option&gt;
&lt;option value="3"&gt;3: Power User&lt;/option&gt;
&lt;option  value="4"&gt;4: Admin&lt;/option&gt;
&lt;option  value="5"&gt;5: Owner&lt;/option&gt;
&lt;/select&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr valign="top"&gt;
&lt;td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR"&gt;3. 
&lt;input name="url_3" type="text" id="P0" value="http://test4" size="60"&gt;
&lt;select name="levelid_3" id="levelid_3"&gt;
&lt;option  value="0" &gt;0: User&lt;/option&gt;
&lt;option  value="1"&gt;1: Viewer&lt;/option&gt;
&lt;option  value="2"&gt;2: Editor&lt;/option&gt;
&lt;option value="3"&gt;3: Power User&lt;/option&gt;
&lt;option  value="4"&gt;4: Admin&lt;/option&gt;
&lt;option  value="5" selected&gt;5: Owner&lt;/option&gt;
&lt;/select&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;tr valign="top"&gt;
&lt;td height="42" colspan="3" align="left" valign="top" nowrap bgcolor="#FFFFCC" class="smallR"&gt;
&lt;input type="submit" name="Submit" value="Submit"&gt;
&lt;/td&gt;
&lt;/tr&gt;
&lt;/table&gt;
&lt;/form&gt;
For any finer points just email me at barry@sanyuan.com.au
ghost007
Forum Commoner
Posts: 49
Joined: Sat Nov 22, 2003 10:10 am

THANK YOU!

Post by ghost007 »

8O Your code is great sanyuan! It does exactly wat I wanted to obtain.

I'm afraid I would never have found this solution :roll: so thx 10000000000000000000 times :wink:

thx really
Siech
ghost007
Forum Commoner
Posts: 49
Joined: Sat Nov 22, 2003 10:10 am

SECURITY!

Post by ghost007 »

I just realised that I had a big security risk with this code as the ID of the page to update is defined from the form.

This means that it can be possible to update the records of other users! :evil:

So if somoene else uses this code I recomend adding a second check to the WHERE clause with a check to a param from the DB. :twisted:

siech
Post Reply