What's wrong with this code?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
JeffK627
Forum Newbie
Posts: 2
Joined: Mon May 14, 2007 11:36 am

What's wrong with this code?

Post by JeffK627 »

Hello all, I'm new to this forum and also rather new to PHP. I wonder if anyone can spot the error in my code below:

Code: Select all

<?php
	if (array_key_exists('_submit_check', $_POST)) {
		require("content/{$_POST["conspeed"]}.inc");
	}
	else {
        print
"<P>Please select your connection speed</P>
<FORM NAME='speedform' ID='speedform' METHOD='POST' ACTION='template.php?pgCo=media'>
	<input type='radio' name='conspeed' value='xslow' /> 28.8K Modem<br />
	<input type='radio' name='conspeed' value='slow' selected /> 56K Modem<br />
	<input type='radio' name='conspeed' value='med' /> DSL<br />
	<input type='radio' name='conspeed' value='fast' /> Cable Modem/Broadband<br />
	<input type='hidden' name='_submit_check' value='1'/>
	<input type='submit' name='submit' value='Submit' />
</FORM>";
}
?>
My goal is to display different content in place of the form after the user submits their connection speed, by using the value of the "conspeed" radio buttons to choose an include file, such as "slow.inc" or "fast.inc". Before the form is submitted, everything works fine. However, after submitting the form, nothing is displayed at the desired location in the page.

Any help will be much appreciated!
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

Use

Code: Select all

$_POST['conspeed']
instead of

Code: Select all

$_POST["conspeed"]
This wouldn't be a problem if you had escaped your inner double quotes with backslashes.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Code: Select all

<?php
   if (array_key_exists('_submit_check', $_POST)) {
      require 'content/' . $_POST["conspeed"] . '.inc';
   }
?>
You may also want to look at file_exists() to prevent issues with people posting 'conspeed' values in an attempt to exploit security holes in your code. I would also suggest never taking user input like that and using it without checking to make sure it is valid data.
Last edited by RobertGonzalez on Mon May 14, 2007 12:33 pm, edited 1 time in total.
JeffK627
Forum Newbie
Posts: 2
Joined: Mon May 14, 2007 11:36 am

Post by JeffK627 »

D'oh! :oops:

Bloody single/double quotes - I miss those all the time, must be some form of selective dyslexia...

Thanks Jay!

Everah, your point is well taken - this is still only in development and the input will be validated in the production version.
Post Reply