Checkbox mayhem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Checkbox mayhem

Post by micknc »

I am developing a tool for users to be able to print a pdf page dynamically. The problem I am having is thinking through the logic of the checkboxes. Let me tell you what happens and try and get some suggestions from you guys.

1. The user searches for a group of contacts. That search will return 10-30 contacts in a given area.
2. The user then clicks checkboxes beside the contact that he wants to send a letter to. (that could be all of them, half or just a few based on the history with the contact)

Now here is where I am not sure where to go. I will have multiple versions of the variable (the contact id). I thought about looping through them somehow to create the pdf (which has to be on one document with a new page for each contact).

My big problem is how do I recognize an ever changing number of the same variable? When I insert that variable into a query how will I get that query to loop through all the variables?

If I can get through the query I have the rest figured out but I am a little stuck. I am not asking you write a bunch of code for me. Just help talk me through the logic of how you would do this.

Thanks!
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Checkbox mayhem

Post by califdon »

Sounds like a job for an array. In PHP you can keep adding elements to an array without worrying about the value of the index or any limit on the number of elements. Once you have filled the array, you can get the count of the number of elements. Using that, you can loop through multiple queries, or perhaps (if you're talking a max of maybe 30 contacts) just string them together and use a WHERE ... IN (...) clause in your query.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Checkbox mayhem

Post by RobertGonzalez »

If your checkboxes are passed as row ids in the table you are querying then you can do a simple select * from table where id IN ($_POST['rowids']) type of query.
User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: Checkbox mayhem

Post by micknc »

Thanks for the direction guys,
I have a test form I am working on and it looks like this:

Code: Select all

echo "<form action='test_array.php' method='post'>";
echo "<input type=checkbox name=rowids[] value=AL150541>Mt. Pleasant";
echo "<input type=checkbox name=rowids[] value=WV800391>Oceana";
echo "<input type=checkbox name=rowids[] value=WV725151>MT. Hope";
echo "<input type=checkbox name=rowids[] value=WV750121>Dunlow";
echo "<input type='submit' value='Submit'/>";
Then the query looks like this:

Code: Select all

$connection=mysql_connect (localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$sql = "SELECT * FROM contacts WHERE id IN ($_POST['rowids'])";
$data = mysql_query($sql);
while($result = mysql_fetch_array( $data ))
I am getting the old "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/thedonah/public_html/fwbim/test_array.php"

I have tried about 20 different variations of the IN () statement. Do you see what I should do?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Checkbox mayhem

Post by RobertGonzalez »

Before doing all that database connection stuff, try dumping the $_POST['rows'] var to see what is in it.
User avatar
EverLearning
Forum Contributor
Posts: 282
Joined: Sat Feb 23, 2008 3:49 am
Location: Niš, Serbia

Re: Checkbox mayhem

Post by EverLearning »

1) To access arrays in strings you have to encolse them in curly braces {} (thats why you get the error message)
2) $_POST['rowids'] is an array itself so you cant use it directly in your SQL query. You need to make it into a string

So it should look like this

Code: Select all

$rowids = join(", ", $_POST['rowids']);
$sql = "SELECT * FROM contacts WHERE id IN ({$rowids})";
User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: Checkbox mayhem

Post by micknc »

I am getting this error:
Warning: join() [function.join]: Bad arguments. in /home/thedonah/public_html/fwbim/test_array.php on line 5


From this line:

Code: Select all

$rowids = join(", ", $_POST['rowids']);
Also I used

Code: Select all

print_r(array_values($$_POST['rowids']));
and got:
Array ( [0] => WV800391 [1] => WV725151 [2] => WV750121 )
which is accurate based on my test selection.
User avatar
EverLearning
Forum Contributor
Posts: 282
Joined: Sat Feb 23, 2008 3:49 am
Location: Niš, Serbia

Re: Checkbox mayhem

Post by EverLearning »

Dump $_POST['rowids'] as Everah suggested. Use this and paste the results here:

Code: Select all

var_dump($_POST['rowids']);
User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: Checkbox mayhem

Post by micknc »

array(3) { [0]=> string(8) "WV800391" [1]=> string(8) "WV725151" [2]=> string(8) "WV750121" }
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Checkbox mayhem

Post by RobertGonzalez »

Now do this:

Code: Select all

<?php
$str = implode(',', $_POST['rowids']);
var_dump($str);
?>
And post back the results
User avatar
chaos
Forum Newbie
Posts: 22
Joined: Thu May 15, 2008 9:20 am
Location: New Jersey

Re: Checkbox mayhem

Post by chaos »

You should only get that 'Bad arguments' error if no checkboxes were selected. (You'll need to account for that case in general.)

Everyone: for the love of God, please do not just let people keep writing SQL-injection-vulnerable code.

micknc, you should do something like this:

Code: Select all

if(!isset($_POST['rowids']))
    die('No selections made');
$connection = mysql_connect(localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$rowids_array = array();
foreach($_POST['rowids'] as $rowid)
    $rowids_array[] = "'" . mysql_real_escape_string($rowid, $connection) . "'";
$rowids_string = join(', ', $rowids_array);
$sql = "SELECT * FROM contacts WHERE id IN ($rowids_string)";
The extra bits to do with the rowids will not only make your SQL query usable at all (since all previous versions depended on purely numeric keys, and you're using string keys), but stop every slightly knowledgeable hacker in the universe from being able to do whatever they like to your database.
User avatar
EverLearning
Forum Contributor
Posts: 282
Joined: Sat Feb 23, 2008 3:49 am
Location: Niš, Serbia

Re: Checkbox mayhem

Post by EverLearning »

It looks OK to me. join() function should work just fine with that array. Could you post a more complete code snippet? Since it seems that you're executing that join(", ", $_POST['rowids']) event if it's empty, whether thats because no checkbox has been checked, or because user didn't submit the page.
User avatar
EverLearning
Forum Contributor
Posts: 282
Joined: Sat Feb 23, 2008 3:49 am
Location: Niš, Serbia

Re: Checkbox mayhem

Post by EverLearning »

@chaos: We're just trying to guide him along until he reaches his goal, without confusing him too much, or doing all of his work for him. Yes, we KNOW that the code we provided is SQL injection vulnerable. At the end we would have told him something along the lines: "Now that you are acomplished what you wanted, you should know that this code is vulnerable, and that you should use this, and this, ans this, and read up on this topics ...".
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Checkbox mayhem

Post by RobertGonzalez »

SQL injection prevention means nothing if he cannot wrap his mind around getting past the array to build a query. We will get to that, but he needs to get the basics down first.

Patience. We'll get to it.
User avatar
chaos
Forum Newbie
Posts: 22
Joined: Thu May 15, 2008 9:20 am
Location: New Jersey

Re: Checkbox mayhem

Post by chaos »

I understand your motivations for doing that. I don't agree that it's a good idea. It teaches people to tack on security at the end. Which is like tacking on birth control at the end: it's a little late.
Post Reply