form processing

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
yshaf13
Forum Commoner
Posts: 72
Joined: Mon Apr 03, 2006 7:59 pm

form processing

Post by yshaf13 »

hi, heres the issue: i have multiple forms which all have a few common fields but each form has a few distinct fields. i would like to have only one page to process the forms but the sql for each form is different, so i thought i'd pass the sql for each form along with it in a hidden input.

Code: Select all

<?php
$sql1="insert into $table (id, title, date, short_desc) values('$id1','$title','$date','$short')";
?>
<input type="hidden" name="sql" value="<?php echo $sql1; ?>">
(i extract $_POST so i can use the short variables) the problem is, it dosent load the variables on the processing page - they stay blank. any ideas?[/list]
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Do not under any circumstances transmit the query. Analyze the post data and determine which query is needed from that.
yshaf13
Forum Commoner
Posts: 72
Joined: Mon Apr 03, 2006 7:59 pm

re

Post by yshaf13 »

whats wrong with transmiting the query? how do you suggest i analyze it?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The user can manipulate the query into something completely different and seriously compromise your database. It's a security hole large enough to drive four semi-trucks through side-by-side.

You've already specified how to determine which form the submission is coming from: they have some unique fields. Look for them.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Wow that is like giving the general public direct access to your database. Very very bad indeed.
Post Reply