PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
The code below has values passed via the URL from another page.
audio_insertDEV.php?product_ID=30
But when the conditional statement returns an empty field error (if the forms field is left blank etc) the URL looses it’s parameters and ends up just being:
audio_insertDEV.php
I’m not sure what to do here. Is it just the way I have the code running or is there something more I need to add?
Thanks
<?php $colname_GetAudioUpdate = "1";
if (isset($_GET['product_ID'])) {
$colname_GetAudioUpdate = (get_magic_quotes_gpc()) ? $_GET['product_ID'] : addslashes($_GET['product_ID']);
}
mysql_select_db($database_******, $*****);
$query_GetAudioUpdate = sprintf("SELECT * FROM tbl_products WHERE product_ID = %s", $colname_GetAudioUpdate);
$GetAudioUpdate = mysql_query($query_GetAudioUpdate, $armstrong) or die(mysql_error());
$row_GetAudioUpdate = mysql_fetch_assoc($GetAudioUpdate);
$totalRows_GetAudioUpdate = mysql_num_rows($GetAudioUpdate);
$nomessage = '';
if ($_POST && array_key_exists('MM_update',$_POST)) {
//test to see it contains a MP3
if ($_FILES['fupload']['type'] == "audio/mpeg") {
} else {
$nomessage = '<br>'.'<span class="erroradmin"><strong>Opps! You must fill out the field and <br>make sure it\'s an MP3 you\'re uploading.</strong></span>';
}
if (!$nomessage ) {
// upload file
}
if ((isset($_POST["MM_update"])) && ($_POST["MM_update"] == "form1")) {
//insert into database
}}
?>
The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:
thaynejo wrote:The primary issue I see is that you have set the form action to "post", but are trying to access the variables via "get". You need to change one or the other. If you are insistent on using GET (which will display the values in the URL), then make the change to the form as follows:
This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time. Also, you should not be using $_SERVER['PHP_SELF'], considering it allows the user to exploit XSS injection.
I would set the action with the parameters manually set in it, and/or alternatively you can pass the $_GET['product_id'] as a hidden field in the form.
Notice I applied intval() on the product id, this is also to avoid XSS injection by only allowing numbers. As a rule of thumb, never output anything that comes from the user without validating/sanitizing (this include $_SERVER['PHP_SELF'])
Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.
Jcart wrote:This is incorrect. You can just as easily use $_POST and $_GET in the same request, in fact I do it all the time.
There is no problem using them both. I use them all the time as well. What I was trying to point out is that the values in the $_POST array cannot be accessed via the $_GET array. The easiest way to fix his issue is to change the action to GET. That would solve the issue of the missing variables.
Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects.
Jcart wrote:Ah sorry for misunderstanding. But still, your suggestion has some ugly side effects.
No problem, and I agree. Always clean the input first so that you don't have to cry later. I am a fairly new user to PHP, so my code can always be improved. Thank you for the assistance.
As a matter of interest what about doing this? I have to say I don’t always understand this enough but try to learn from a few angles about attacks etc.