Page 1 of 1

form processing

Posted: Thu Aug 24, 2006 6:50 pm
by yshaf13
hi, heres the issue: i have multiple forms which all have a few common fields but each form has a few distinct fields. i would like to have only one page to process the forms but the sql for each form is different, so i thought i'd pass the sql for each form along with it in a hidden input.

Code: Select all

<?php
$sql1="insert into $table (id, title, date, short_desc) values('$id1','$title','$date','$short')";
?>
<input type="hidden" name="sql" value="<?php echo $sql1; ?>">
(i extract $_POST so i can use the short variables) the problem is, it dosent load the variables on the processing page - they stay blank. any ideas?[/list]

Posted: Thu Aug 24, 2006 7:41 pm
by feyd
Do not under any circumstances transmit the query. Analyze the post data and determine which query is needed from that.

re

Posted: Thu Aug 24, 2006 8:59 pm
by yshaf13
whats wrong with transmiting the query? how do you suggest i analyze it?

Posted: Thu Aug 24, 2006 9:31 pm
by feyd
The user can manipulate the query into something completely different and seriously compromise your database. It's a security hole large enough to drive four semi-trucks through side-by-side.

You've already specified how to determine which form the submission is coming from: they have some unique fields. Look for them.

Posted: Thu Aug 24, 2006 9:42 pm
by Benjamin
Wow that is like giving the general public direct access to your database. Very very bad indeed.