Checkbox mayhem

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

User avatar
micknc
Forum Contributor
Posts: 115
Joined: Thu Jan 24, 2008 11:13 pm

Re: Checkbox mayhem

Post by micknc »

The code that Chaos posted is working. I have read through it and tried to internalize what it happening in each line so that I can reproduce it if need be.
I also have read the article on SQL injections and I will continue to read up on it. This project is for internal office use and requires a login (using sessions) to view any page. Are injections still a huge concern in your opinion? It is hosted on the internet but the only way to get to it is to know the address and user accounts have to be set up manually.
The reason I ask is that I am really just writing a tool to add to this site. Should I look at cleaning up the rest of it?

Looks like a can of worms.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: Checkbox mayhem

Post by RobertGonzalez »

Birth control can't help you in anyway if you don't know how to work your zipper. Just a thought.

I am as big a proponent of security as the next coder, but trying to teach security principals and fundamentals to someone that might not even know how an array is acting is a little ahead of the game in my opinion.

That said, this thread is sidetracked enough. Can we not talk security so much at this point, opting rather to actually help the OP get past the initial issue he/she was having?
User avatar
chaos
Forum Newbie
Posts: 22
Joined: Thu May 15, 2008 9:20 am
Location: New Jersey

Re: Checkbox mayhem

Post by chaos »

Everah: Yeah, I already did that too. Note how I subtly included the injection fix along with code that fixed a couple other issues, without apparently confusing (dismaying, but not confusing) the OP. It's seriously just not that hard to teach someone that wrapping their form data retrievals in mysql_real_escape_string() is How You Do It. And every time you post code that just sucks it in raw, you teach them that that is How You Do it.

micknc: Though I hate to say that using unsanitized inputs is ever okay, in that situation, as long as the check for an authenticated session happens before anything else is allowed to interact with the database, all you need to do is sanitize the authentication process itself and you'll be okay (insofar as your users are trustworthy). That is, if all an unauthenticated user can actually touch is the authentication process, then that's what you most need to make sure is clean.
dajawu
Forum Commoner
Posts: 59
Joined: Fri May 23, 2008 10:16 am

Re: Checkbox mayhem

Post by dajawu »

This while loop displays a bunch of different items from a database with a checkbox for each item. One for accepting the item, the other for deleting the item. Note: I took out all excess code.

Code: Select all

 
while($row = mysql_fetch_row($result))
{
  echo "<td><input type=checkbox name=accept[row[0]]></td><td><input type=checkbox name=delete[$row[0]]</td></tr>";
}
 
This code deletes any item that the user checked delete:

Code: Select all

 
foreach($_POST['delete'] as $tmp => $value) 
{
  echo "ItemID ".$tmp." has been removed!<br>";    
  EmailBadNews($tmp);
  $sql = "DELETE FROM Items WHERE ItemID = $tmp LIMIT 1";
  $sql = mysql_query($sql) or die(mysql_error());
}
 
The only thing I/You have to add is you get a warning if none of the checkboxs are checked. I guess if you don't check them they don't come through $_POST['delete'], I thought they would just as off or something. Ohh well easy enough to add an if statement to check.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Re: Checkbox mayhem

Post by califdon »

chaos wrote:I understand your motivations for doing that. I don't agree that it's a good idea. It teaches people to tack on security at the end. Which is like tacking on birth control at the end: it's a little late.
That's the best metaphor I've seen in quite a while! :mrgreen:
Post Reply