Page 1 of 1

Whats the best way to share a form between add & edit re

Posted: Wed Aug 10, 2005 5:14 pm
by Jim_Bo
Hi,

Whats the best way to share one form for add new record or edit a record?

The following shows the form when edit is used, but shows blank page on add new record:

Code: Select all

<?php

if (isset($_GET['edit'])) {

	$sql = mysql_query("SELECT * FROM table WHERE id='".$_GET['id']."'");
		while ($row = mysql_fetch_array($sql)) {

			$fname = $row['fname'];
			$lname = $row['lname'];
}

?>

<form name="form" method="post" action="somewhere.php">
  <table width="36%" border="0" align="center" cellpadding="3" cellspacing="0">
    <tr> 
      <td width="27%"><div align="right">First Name</div></td>
      <td width="73%"><input name="fname" type="text" value="<?php echo $fname; ?>"></td>
    </tr>
    <tr> 
      <td rowspan="2" valign="top"> <div align="right">Last Name</div></td>
      <td><input type="text" name="lname" value="<?php echo $lname; ?>"></td>
    </tr>
    <tr> 
      <td><div align="right">
          <input name="action" type="hidden" value="<?php echo $_POST['edit']; ?>">
          <input type="hidden" name="id" value="<?php echo $id; ?>">
		  <input type="submit" name="Submit" value="Submit"></div></td>
    </tr>
  </table>
  </form>

<?php

if (isset($_GET['edit'])) {

 }
}

?>

Cheers

Posted: Wed Aug 10, 2005 5:43 pm
by s.dot
you could use $_GET instead of post.

set the parameters in your url string

Code: Select all

http://www.domain.com/records.php?action=edit&record=1121

//or

http://www.domain.com/records.php?action=add&value=value&value2=value2

Posted: Wed Aug 10, 2005 6:29 pm
by Jim_Bo
Hi,

Not really what I am after, I would rather have it grab the variables from the db if $_GET['edit'] exists and show a blank from if $_GET['edit'] isnt parsed ...


Cheers

Posted: Wed Aug 10, 2005 7:12 pm
by feyd
the form is inside the $_GET['edit'] conditional. If moved out of it, and you make sure all the variables you are printing in there are set (to blanks, just in case) you should get what you are looking for.

Posted: Wed Aug 10, 2005 7:19 pm
by Jim_Bo
Hi,

So you are saying move the formso its after the final closing php tag?

Can you elaberate a little on:
make sure all the variables you are printing in there are set (to blanks, just in case)
Cheers

Posted: Wed Aug 10, 2005 8:58 pm
by timvw

Code: Select all

<?php
if (isset($_GET['add'])
{
   $aname = '';
   $bname = '';
}
else if (isset($_GET['edit']))
{
   $rs = mysql_query(...);
   $aname = $row['aname'];
   $bname = $row['bname'];
}
?>

<html>
....

<form>
Aname: <input type='text' name='aname' value='<?php echo $aname; ?>'/>
Bname: <input type='text' name='bname' value='<?php echo $bname;>'/>
</form>
...
</html>

Imagine what happens if i change my avatar to "http://www.domain.com/records.php?actio ... ecord=1121".

When you visit this page (or any with my avatar on), your browser will try to load that page. With a little of luck you can say byebye to your data :p

To avoid this style of attack i usually prefer to add/update/delete pages only available via POST instead of GET.

Posted: Wed Aug 10, 2005 9:38 pm
by Jim_Bo
Hi,
To avoid this style of attack i usually prefer to add/update/delete pages only available via POST instead of GET.
Is safe to use $_GET to grab the initial record id to show the data in the form, then use a hidden field from there and $_POST the id to the delete funcion?

When I delete a record I send the id across the url and use $_GET to grab the id and process the delete function .. this is not safe even when only certain user levels have access to the add/edit/delete code via sessions etc ..?


Cheers

Posted: Thu Aug 11, 2005 5:55 am
by timvw
Reading http://shiflett.org/articles/foiling-cross-site-attacks (the part on CSRF) will clear things up :)