Page 1 of 1

declaration of variables conffusion

Posted: Sat Aug 04, 2007 9:55 am
by Tryfan
Hi there,

I'm trying to keep register globals turned off and am working towards changing some basic forms to be safe and correct, however im having some difficulty with 2 variables now being properly declaired. I have tried making them global

Code: Select all

global $values, $fieldnames
and calling them in my query

Code: Select all

$GLOBALS['values'] $GLOBALS['fieldnames']
but i'm still getting the following warnings plus the values "news_title" and "text" appear in the columns "news_title" and "text" in my MySQL db.

Notice: Undefined variable: values in /var/www/html/secure/admin/processing/action.php on line 58

Notice: Undefined variable: fieldnames in /var/www/html/secure/admin/processing/action.php on line 59

Extract from action.php [NB: the DB_SERVER etc are declared in a seperate include file]

Code: Select all

<?php
if(isset($_POST['create']))$create=$_POST['create'];
if(isset($_POST['form_type']))$form_type=$_POST['form_type'];
if(isset($_POST['refresh']))$refresh=$_POST['refresh'];
if(isset($_POST['date_updated']))$date_updated=$_POST['date_updated'];
if(isset($_POST['news_title']))$news_title=$_POST['news_title'];
if(isset($_POST['text']))$text=$_POST['text'];

// Database Connection
$link = mysql_pconnect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME) or die(mysql_error());


// Get Field and Coloum Counts
$fields = mysql_list_fields(DB_NAME, $_POST['table'], $link);
$columns = mysql_num_fields($fields);


// If form_type is CREATE
if ($_POST['form_type'] == 0) {

	// Build up Field Lists and remove trailing comma etc, Also leaves field 0 blank, i.e. auto increment id.
	$i = 1;
	while ($i < $columns) {
	    if ($i == ($columns - 1)) {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . $data . "'";
			$fieldnames .= mysql_field_name($fields, $i) . "";
		} else if ($i == 0) {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . '' . "',";
		$fieldnames .= mysql_field_name($fields, $i) . ",";
		} else {
			$data = mysql_field_name($fields, $i);
			$values .= "'" . $data . "',";
			$fieldnames .= mysql_field_name($fields, $i) . ",";
		}
		$values = str_replace("\n", "<br>", $values);
		$i++;
		
	} 


$query = 'INSERT INTO `'.$_POST['table'].'` ('.$fieldnames.') VALUES('.$values.');'; 

$result = mysql_query($query) or die('Error: Inserting Data into `'.$_POST[table].'` <br><br>' . mysql_error());


// If form_type is UPDATE
} else if ($_POST['form_type'] == 1) {..........................
form part of posting document:

Code: Select all

<form action="../processing/action.php" method="post" enctype="multipart/form-data" name="form">
<input name="news_title" type="text" id="news_title" size="70">
<textarea name="text" cols="70" rows="20" class="style_multiline_box" id="text"></textarea>
<input name="table" type="hidden" id="table" value="news">
<input name="form_type" type="hidden" id="form_type" value="0">
<input name="refresh" type="hidden" id="refresh" value="../news/editor.php">
<input name="date_updated" type="hidden" id="date_updated" value="<? echo date("d/m/Y");?>"></td>
<td><input type="submit" name="Submit" value="create">
Any sugestions as to how best to handle these variables would be much appreciated :)

Posted: Sat Aug 04, 2007 12:17 pm
by bdlang
Global variables are the least of your concerns. You apparently allow completely unchecked data into your database, including the friggin' TABLE NAME.

Can you explain why you go to all that trouble to perform what seems to be a simple INSERT statement?

As to your actual problem, where are $values and $fieldnames initiated? To be global they first have to come from somewhere.