declaration of variables conffusion

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Tryfan
Forum Newbie
Posts: 3
Joined: Sat Aug 04, 2007 9:41 am

declaration of variables conffusion

Post by Tryfan »

Hi there,

I'm trying to keep register globals turned off and am working towards changing some basic forms to be safe and correct, however im having some difficulty with 2 variables now being properly declaired. I have tried making them global

Code: Select all

global $values, $fieldnames
and calling them in my query

Code: Select all

$GLOBALS['values'] $GLOBALS['fieldnames']
but i'm still getting the following warnings plus the values "news_title" and "text" appear in the columns "news_title" and "text" in my MySQL db.

Notice: Undefined variable: values in /var/www/html/secure/admin/processing/action.php on line 58

Notice: Undefined variable: fieldnames in /var/www/html/secure/admin/processing/action.php on line 59

Extract from action.php [NB: the DB_SERVER etc are declared in a seperate include file]

Code: Select all

<?php
if(isset($_POST['create']))$create=$_POST['create'];
if(isset($_POST['form_type']))$form_type=$_POST['form_type'];
if(isset($_POST['refresh']))$refresh=$_POST['refresh'];
if(isset($_POST['date_updated']))$date_updated=$_POST['date_updated'];
if(isset($_POST['news_title']))$news_title=$_POST['news_title'];
if(isset($_POST['text']))$text=$_POST['text'];

// Database Connection
$link = mysql_pconnect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME) or die(mysql_error());


// Get Field and Coloum Counts
$fields = mysql_list_fields(DB_NAME, $_POST['table'], $link);
$columns = mysql_num_fields($fields);


// If form_type is CREATE
if ($_POST['form_type'] == 0) {

	// Build up Field Lists and remove trailing comma etc, Also leaves field 0 blank, i.e. auto increment id.
	$i = 1;
	while ($i < $columns) {
	    if ($i == ($columns - 1)) {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . $data . "'";
			$fieldnames .= mysql_field_name($fields, $i) . "";
		} else if ($i == 0) {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . '' . "',";
		$fieldnames .= mysql_field_name($fields, $i) . ",";
		} else {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . $data . "',";
			$fieldnames .= mysql_field_name($fields, $i) . ",";
		}
		$values = str_replace("\n", "<br>", $values);
		$i++;
		
	} 


$query = 'INSERT INTO `'.$_POST['table'].'` ('.$fieldnames.') VALUES('.$values.');'; 

$result = mysql_query($query) or die('Error: Inserting Data into `'.$_POST[table].'` <br><br>' . mysql_error());


// If form_type is UPDATE
} else if ($_POST['form_type'] == 1) {..........................
form part of posting document:

Code: Select all

<form action="../processing/action.php" method="post" enctype="multipart/form-data" name="form">
<input name="news_title" type="text" id="news_title" size="70">
<textarea name="text" cols="70" rows="20" class="style_multiline_box" id="text"></textarea>
<input name="table" type="hidden" id="table" value="news">
<input name="form_type" type="hidden" id="form_type" value="0">
<input name="refresh" type="hidden" id="refresh" value="../news/editor.php">
<input name="date_updated" type="hidden" id="date_updated" value="<? echo date("d/m/Y");?>"></td>
<td><input type="submit" name="Submit" value="create">
Any sugestions as to how best to handle these variables would be much appreciated :)
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Global variables are the least of your concerns. You apparently allow completely unchecked data into your database, including the friggin' TABLE NAME.

Can you explain why you go to all that trouble to perform what seems to be a simple INSERT statement?

As to your actual problem, where are $values and $fieldnames initiated? To be global they first have to come from somewhere.
Post Reply