A Better Way?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
psurrena
Forum Contributor
Posts: 355
Joined: Thu Nov 10, 2005 12:31 pm
Location: Broolyn, NY

A Better Way?

Post by psurrena »

I'm writing blog software and was working on a way to change the status of an article to determine where it is filed. My code works and works well but it seems like there might have been an easier way to achieve the second part. Any ideas?

Code: Select all

if (isset($_POST['update_incomplete'])){
	$query = "UPDATE article SET status='$_POST[status]'";
	mysql_query($query) or die (mysql_error());
	header ("location: $_SERVER[PHP_SELF]");
}

Code: Select all

echo "<ul>";
echo '<form method="POST">';
$query = "SELECT * FROM article WHERE status=1";
$result = mysql_query($query) or die (mysql_error());
while($row=mysql_fetch_assoc($result)){
	echo "<li><a href=\"article.php?$a_id\">$row[title]</a><br />";
	echo 'Status: ';

	switch ($row['status']) {
		case 0:
			echo '<select name="status"><option value="0" selected="selected">Incomplete</option><option value="1">Current</option><option value="2">Archive</option></select>';
			break;                                
		case 1:
			echo '<select name="status"><option value="0">Incomplete</option><option value="1" selected="selected">Current</option><option value="2">Archive</option></select>';
			break;
		case 2:
			echo '<select name="status"><option value="0">Incomplete</option><option value="1">Current</option><option value="2" selected="selected">Archive</option></select>';
			break;
		 }
	echo "</li>";
}
echo "</ul>";
.....more code
.....submit button
The last section of code is repeat two more times for the different categories (Current and Archive).

So when I change the status via the select menu, it changes the status in the db and moves the article to the appropriate category on this page.

Thanks,
-Pete
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

If you don't mind building a little bit of architecture, I'd make some form builder classes where you can create a select list using syntax like:

Code: Select all

echo createSelectList(
  'status',
  array(0 > ='Incomplete', 1 => 'Current', 2 => 'Archive'),
  $row['status']
);
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

$_POST data should not be used in queries unless it's passed escapement, validation and verification.
$_SERVER['PHP_SELF'] should almost never be used anywhere.

As for your <select> box creation... it's largely the same shifting the selected status. That means it can be automated. .. say with some variables and a single echo.
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

$_POST data should not be used in queries unless it's passed escapement, validation and verification.
Ack, missed that. That's a very serious issue.
User avatar
psurrena
Forum Contributor
Posts: 355
Joined: Thu Nov 10, 2005 12:31 pm
Location: Broolyn, NY

Post by psurrena »

What is the problem with $_SERVER[PHP_SELF]?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Because it is easily faked. (try googling it!)
User avatar
psurrena
Forum Contributor
Posts: 355
Joined: Thu Nov 10, 2005 12:31 pm
Location: Broolyn, NY

Post by psurrena »

Thank you for your help.

One more quick question in terms of posting data. I am using "mysql_real_escape_string" for escapement, I can use regex for some things to make sure it's the right types of data but what else should be done with forms in terms of secuirty?
User avatar
Ambush Commander
DevNet Master
Posts: 3698
Joined: Mon Oct 25, 2004 9:29 pm
Location: New Jersey, US

Post by Ambush Commander »

Validation and escaping pretty much cover it all. From there, you get to advanced topics like CSRF protection or using database binding to ensure all data is always escaped.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Umm.. Basically just be aware of everything that you DON'T want and be sure to validate the posted variables. Always.
Post Reply