Page 1 of 1

What's wrong with this code?

Posted: Mon May 14, 2007 11:44 am
by JeffK627
Hello all, I'm new to this forum and also rather new to PHP. I wonder if anyone can spot the error in my code below:

Code: Select all

<?php
	if (array_key_exists('_submit_check', $_POST)) {
		require("content/{$_POST["conspeed"]}.inc");
	}
	else {
        print
"<P>Please select your connection speed</P>
<FORM NAME='speedform' ID='speedform' METHOD='POST' ACTION='template.php?pgCo=media'>
	<input type='radio' name='conspeed' value='xslow' /> 28.8K Modem<br />
	<input type='radio' name='conspeed' value='slow' selected /> 56K Modem<br />
	<input type='radio' name='conspeed' value='med' /> DSL<br />
	<input type='radio' name='conspeed' value='fast' /> Cable Modem/Broadband<br />
	<input type='hidden' name='_submit_check' value='1'/>
	<input type='submit' name='submit' value='Submit' />
</FORM>";
}
?>
My goal is to display different content in place of the form after the user submits their connection speed, by using the value of the "conspeed" radio buttons to choose an include file, such as "slow.inc" or "fast.inc". Before the form is submitted, everything works fine. However, after submitting the form, nothing is displayed at the desired location in the page.

Any help will be much appreciated!

Posted: Mon May 14, 2007 11:56 am
by jayshields
Use

Code: Select all

$_POST['conspeed']
instead of

Code: Select all

$_POST["conspeed"]
This wouldn't be a problem if you had escaped your inner double quotes with backslashes.

Posted: Mon May 14, 2007 12:03 pm
by RobertGonzalez

Code: Select all

<?php
   if (array_key_exists('_submit_check', $_POST)) {
      require 'content/' . $_POST["conspeed"] . '.inc';
   }
?>
You may also want to look at file_exists() to prevent issues with people posting 'conspeed' values in an attempt to exploit security holes in your code. I would also suggest never taking user input like that and using it without checking to make sure it is valid data.

Posted: Mon May 14, 2007 12:04 pm
by JeffK627
D'oh! :oops:

Bloody single/double quotes - I miss those all the time, must be some form of selective dyslexia...

Thanks Jay!

Everah, your point is well taken - this is still only in development and the input will be validated in the production version.