Page 1 of 1

A Better Way?

Posted: Tue Feb 06, 2007 3:26 pm
by psurrena
I'm writing blog software and was working on a way to change the status of an article to determine where it is filed. My code works and works well but it seems like there might have been an easier way to achieve the second part. Any ideas?

Code: Select all

if (isset($_POST['update_incomplete'])){
	$query = "UPDATE article SET status='$_POST[status]'";
	mysql_query($query) or die (mysql_error());
	header ("location: $_SERVER[PHP_SELF]");
}

Code: Select all

echo "<ul>";
echo '<form method="POST">';
$query = "SELECT * FROM article WHERE status=1";
$result = mysql_query($query) or die (mysql_error());
while($row=mysql_fetch_assoc($result)){
	echo "<li><a href=\"article.php?$a_id\">$row[title]</a><br />";
	echo 'Status: ';

	switch ($row['status']) {
		case 0:
			echo '<select name="status"><option value="0" selected="selected">Incomplete</option><option value="1">Current</option><option value="2">Archive</option></select>';
			break;                                
		case 1:
			echo '<select name="status"><option value="0">Incomplete</option><option value="1" selected="selected">Current</option><option value="2">Archive</option></select>';
			break;
		case 2:
			echo '<select name="status"><option value="0">Incomplete</option><option value="1">Current</option><option value="2" selected="selected">Archive</option></select>';
			break;
		 }
	echo "</li>";
}
echo "</ul>";
.....more code
.....submit button
The last section of code is repeat two more times for the different categories (Current and Archive).

So when I change the status via the select menu, it changes the status in the db and moves the article to the appropriate category on this page.

Thanks,
-Pete

Posted: Tue Feb 06, 2007 5:41 pm
by Ambush Commander
If you don't mind building a little bit of architecture, I'd make some form builder classes where you can create a select list using syntax like:

Code: Select all

echo createSelectList(
  'status',
  array(0 > ='Incomplete', 1 => 'Current', 2 => 'Archive'),
  $row['status']
);

Posted: Tue Feb 06, 2007 5:41 pm
by feyd
$_POST data should not be used in queries unless it's passed escapement, validation and verification.
$_SERVER['PHP_SELF'] should almost never be used anywhere.

As for your <select> box creation... it's largely the same shifting the selected status. That means it can be automated. .. say with some variables and a single echo.

Posted: Tue Feb 06, 2007 6:01 pm
by Ambush Commander
$_POST data should not be used in queries unless it's passed escapement, validation and verification.
Ack, missed that. That's a very serious issue.

Posted: Tue Feb 06, 2007 7:31 pm
by psurrena
What is the problem with $_SERVER[PHP_SELF]?

Posted: Tue Feb 06, 2007 7:35 pm
by Ambush Commander
Because it is easily faked. (try googling it!)

Posted: Tue Feb 06, 2007 8:16 pm
by psurrena
Thank you for your help.

One more quick question in terms of posting data. I am using "mysql_real_escape_string" for escapement, I can use regex for some things to make sure it's the right types of data but what else should be done with forms in terms of secuirty?

Posted: Tue Feb 06, 2007 8:18 pm
by Ambush Commander
Validation and escaping pretty much cover it all. From there, you get to advanced topics like CSRF protection or using database binding to ensure all data is always escaped.

Posted: Tue Feb 06, 2007 8:19 pm
by superdezign
Umm.. Basically just be aware of everything that you DON'T want and be sure to validate the posted variables. Always.