Whats the best way to share a form between add & edit re

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Jim_Bo
Forum Contributor
Posts: 390
Joined: Sat Oct 02, 2004 3:04 pm

Whats the best way to share a form between add & edit re

Post by Jim_Bo »

Hi,

Whats the best way to share one form for add new record or edit a record?

The following shows the form when edit is used, but shows blank page on add new record:

Code: Select all

<?php

if (isset($_GET['edit'])) {

	$sql = mysql_query("SELECT * FROM table WHERE id='".$_GET['id']."'");
		while ($row = mysql_fetch_array($sql)) {

			$fname = $row['fname'];
			$lname = $row['lname'];
}

?>

<form name="form" method="post" action="somewhere.php">
  <table width="36%" border="0" align="center" cellpadding="3" cellspacing="0">
    <tr> 
      <td width="27%"><div align="right">First Name</div></td>
      <td width="73%"><input name="fname" type="text" value="<?php echo $fname; ?>"></td>
    </tr>
    <tr> 
      <td rowspan="2" valign="top"> <div align="right">Last Name</div></td>
      <td><input type="text" name="lname" value="<?php echo $lname; ?>"></td>
    </tr>
    <tr> 
      <td><div align="right">
          <input name="action" type="hidden" value="<?php echo $_POST['edit']; ?>">
          <input type="hidden" name="id" value="<?php echo $id; ?>">
		  <input type="submit" name="Submit" value="Submit"></div></td>
    </tr>
  </table>
  </form>

<?php

if (isset($_GET['edit'])) {

 }
}

?>

Cheers
User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Post by s.dot »

you could use $_GET instead of post.

set the parameters in your url string

Code: Select all

http://www.domain.com/records.php?action=edit&record=1121

//or

http://www.domain.com/records.php?action=add&value=value&value2=value2
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Jim_Bo
Forum Contributor
Posts: 390
Joined: Sat Oct 02, 2004 3:04 pm

Post by Jim_Bo »

Hi,

Not really what I am after, I would rather have it grab the variables from the db if $_GET['edit'] exists and show a blank from if $_GET['edit'] isnt parsed ...


Cheers
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the form is inside the $_GET['edit'] conditional. If moved out of it, and you make sure all the variables you are printing in there are set (to blanks, just in case) you should get what you are looking for.
Jim_Bo
Forum Contributor
Posts: 390
Joined: Sat Oct 02, 2004 3:04 pm

Post by Jim_Bo »

Hi,

So you are saying move the formso its after the final closing php tag?

Can you elaberate a little on:
make sure all the variables you are printing in there are set (to blanks, just in case)
Cheers
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Code: Select all

<?php
if (isset($_GET['add'])
{
   $aname = '';
   $bname = '';
}
else if (isset($_GET['edit']))
{
   $rs = mysql_query(...);
   $aname = $row['aname'];
   $bname = $row['bname'];
}
?>

<html>
....

<form>
Aname: <input type='text' name='aname' value='<?php echo $aname; ?>'/>
Bname: <input type='text' name='bname' value='<?php echo $bname;>'/>
</form>
...
</html>

Imagine what happens if i change my avatar to "http://www.domain.com/records.php?actio ... ecord=1121".

When you visit this page (or any with my avatar on), your browser will try to load that page. With a little of luck you can say byebye to your data :p

To avoid this style of attack i usually prefer to add/update/delete pages only available via POST instead of GET.
Jim_Bo
Forum Contributor
Posts: 390
Joined: Sat Oct 02, 2004 3:04 pm

Post by Jim_Bo »

Hi,
To avoid this style of attack i usually prefer to add/update/delete pages only available via POST instead of GET.
Is safe to use $_GET to grab the initial record id to show the data in the form, then use a hidden field from there and $_POST the id to the delete funcion?

When I delete a record I send the id across the url and use $_GET to grab the id and process the delete function .. this is not safe even when only certain user levels have access to the add/edit/delete code via sessions etc ..?


Cheers
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Reading http://shiflett.org/articles/foiling-cross-site-attacks (the part on CSRF) will clear things up :)
Post Reply