Checkbox mayhem
Moderator: General Moderators
Checkbox mayhem
I am developing a tool for users to be able to print a pdf page dynamically. The problem I am having is thinking through the logic of the checkboxes. Let me tell you what happens and try and get some suggestions from you guys.
1. The user searches for a group of contacts. That search will return 10-30 contacts in a given area.
2. The user then clicks checkboxes beside the contact that he wants to send a letter to. (that could be all of them, half or just a few based on the history with the contact)
Now here is where I am not sure where to go. I will have multiple versions of the variable (the contact id). I thought about looping through them somehow to create the pdf (which has to be on one document with a new page for each contact).
My big problem is how do I recognize an ever changing number of the same variable? When I insert that variable into a query how will I get that query to loop through all the variables?
If I can get through the query I have the rest figured out but I am a little stuck. I am not asking you write a bunch of code for me. Just help talk me through the logic of how you would do this.
Thanks!
1. The user searches for a group of contacts. That search will return 10-30 contacts in a given area.
2. The user then clicks checkboxes beside the contact that he wants to send a letter to. (that could be all of them, half or just a few based on the history with the contact)
Now here is where I am not sure where to go. I will have multiple versions of the variable (the contact id). I thought about looping through them somehow to create the pdf (which has to be on one document with a new page for each contact).
My big problem is how do I recognize an ever changing number of the same variable? When I insert that variable into a query how will I get that query to loop through all the variables?
If I can get through the query I have the rest figured out but I am a little stuck. I am not asking you write a bunch of code for me. Just help talk me through the logic of how you would do this.
Thanks!
Re: Checkbox mayhem
Sounds like a job for an array. In PHP you can keep adding elements to an array without worrying about the value of the index or any limit on the number of elements. Once you have filled the array, you can get the count of the number of elements. Using that, you can loop through multiple queries, or perhaps (if you're talking a max of maybe 30 contacts) just string them together and use a WHERE ... IN (...) clause in your query.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Checkbox mayhem
If your checkboxes are passed as row ids in the table you are querying then you can do a simple select * from table where id IN ($_POST['rowids']) type of query.
Re: Checkbox mayhem
Thanks for the direction guys,
I have a test form I am working on and it looks like this:
Then the query looks like this:
I am getting the old "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/thedonah/public_html/fwbim/test_array.php"
I have tried about 20 different variations of the IN () statement. Do you see what I should do?
I have a test form I am working on and it looks like this:
Code: Select all
echo "<form action='test_array.php' method='post'>";
echo "<input type=checkbox name=rowids[] value=AL150541>Mt. Pleasant";
echo "<input type=checkbox name=rowids[] value=WV800391>Oceana";
echo "<input type=checkbox name=rowids[] value=WV725151>MT. Hope";
echo "<input type=checkbox name=rowids[] value=WV750121>Dunlow";
echo "<input type='submit' value='Submit'/>";Code: Select all
$connection=mysql_connect (localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$sql = "SELECT * FROM contacts WHERE id IN ($_POST['rowids'])";
$data = mysql_query($sql);
while($result = mysql_fetch_array( $data ))I have tried about 20 different variations of the IN () statement. Do you see what I should do?
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Checkbox mayhem
Before doing all that database connection stuff, try dumping the $_POST['rows'] var to see what is in it.
- EverLearning
- Forum Contributor
- Posts: 282
- Joined: Sat Feb 23, 2008 3:49 am
- Location: Niš, Serbia
Re: Checkbox mayhem
1) To access arrays in strings you have to encolse them in curly braces {} (thats why you get the error message)
2) $_POST['rowids'] is an array itself so you cant use it directly in your SQL query. You need to make it into a string
So it should look like this
2) $_POST['rowids'] is an array itself so you cant use it directly in your SQL query. You need to make it into a string
So it should look like this
Code: Select all
$rowids = join(", ", $_POST['rowids']);
$sql = "SELECT * FROM contacts WHERE id IN ({$rowids})";Re: Checkbox mayhem
I am getting this error:
Warning: join() [function.join]: Bad arguments. in /home/thedonah/public_html/fwbim/test_array.php on line 5
From this line:
Also I used
and got:
Array ( [0] => WV800391 [1] => WV725151 [2] => WV750121 )
which is accurate based on my test selection.
Warning: join() [function.join]: Bad arguments. in /home/thedonah/public_html/fwbim/test_array.php on line 5
From this line:
Code: Select all
$rowids = join(", ", $_POST['rowids']);Code: Select all
print_r(array_values($$_POST['rowids']));Array ( [0] => WV800391 [1] => WV725151 [2] => WV750121 )
which is accurate based on my test selection.
- EverLearning
- Forum Contributor
- Posts: 282
- Joined: Sat Feb 23, 2008 3:49 am
- Location: Niš, Serbia
Re: Checkbox mayhem
Dump $_POST['rowids'] as Everah suggested. Use this and paste the results here:
Code: Select all
var_dump($_POST['rowids']);Re: Checkbox mayhem
array(3) { [0]=> string(8) "WV800391" [1]=> string(8) "WV725151" [2]=> string(8) "WV750121" }
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Checkbox mayhem
Now do this:
And post back the results
Code: Select all
<?php
$str = implode(',', $_POST['rowids']);
var_dump($str);
?>Re: Checkbox mayhem
You should only get that 'Bad arguments' error if no checkboxes were selected. (You'll need to account for that case in general.)
Everyone: for the love of God, please do not just let people keep writing SQL-injection-vulnerable code.
micknc, you should do something like this:
The extra bits to do with the rowids will not only make your SQL query usable at all (since all previous versions depended on purely numeric keys, and you're using string keys), but stop every slightly knowledgeable hacker in the universe from being able to do whatever they like to your database.
Everyone: for the love of God, please do not just let people keep writing SQL-injection-vulnerable code.
micknc, you should do something like this:
Code: Select all
if(!isset($_POST['rowids']))
die('No selections made');
$connection = mysql_connect(localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$rowids_array = array();
foreach($_POST['rowids'] as $rowid)
$rowids_array[] = "'" . mysql_real_escape_string($rowid, $connection) . "'";
$rowids_string = join(', ', $rowids_array);
$sql = "SELECT * FROM contacts WHERE id IN ($rowids_string)";- EverLearning
- Forum Contributor
- Posts: 282
- Joined: Sat Feb 23, 2008 3:49 am
- Location: Niš, Serbia
Re: Checkbox mayhem
It looks OK to me. join() function should work just fine with that array. Could you post a more complete code snippet? Since it seems that you're executing that join(", ", $_POST['rowids']) event if it's empty, whether thats because no checkbox has been checked, or because user didn't submit the page.
- EverLearning
- Forum Contributor
- Posts: 282
- Joined: Sat Feb 23, 2008 3:49 am
- Location: Niš, Serbia
Re: Checkbox mayhem
@chaos: We're just trying to guide him along until he reaches his goal, without confusing him too much, or doing all of his work for him. Yes, we KNOW that the code we provided is SQL injection vulnerable. At the end we would have told him something along the lines: "Now that you are acomplished what you wanted, you should know that this code is vulnerable, and that you should use this, and this, ans this, and read up on this topics ...".
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: Checkbox mayhem
SQL injection prevention means nothing if he cannot wrap his mind around getting past the array to build a query. We will get to that, but he needs to get the basics down first.
Patience. We'll get to it.
Patience. We'll get to it.
Re: Checkbox mayhem
I understand your motivations for doing that. I don't agree that it's a good idea. It teaches people to tack on security at the end. Which is like tacking on birth control at the end: it's a little late.