Page 2 of 2

Re: Checkbox mayhem

Posted: Wed Aug 06, 2008 1:04 pm
by micknc
The code that Chaos posted is working. I have read through it and tried to internalize what it happening in each line so that I can reproduce it if need be.
I also have read the article on SQL injections and I will continue to read up on it. This project is for internal office use and requires a login (using sessions) to view any page. Are injections still a huge concern in your opinion? It is hosted on the internet but the only way to get to it is to know the address and user accounts have to be set up manually.
The reason I ask is that I am really just writing a tool to add to this site. Should I look at cleaning up the rest of it?

Looks like a can of worms.

Re: Checkbox mayhem

Posted: Wed Aug 06, 2008 1:08 pm
by RobertGonzalez
Birth control can't help you in anyway if you don't know how to work your zipper. Just a thought.

I am as big a proponent of security as the next coder, but trying to teach security principals and fundamentals to someone that might not even know how an array is acting is a little ahead of the game in my opinion.

That said, this thread is sidetracked enough. Can we not talk security so much at this point, opting rather to actually help the OP get past the initial issue he/she was having?

Re: Checkbox mayhem

Posted: Wed Aug 06, 2008 1:19 pm
by chaos
Everah: Yeah, I already did that too. Note how I subtly included the injection fix along with code that fixed a couple other issues, without apparently confusing (dismaying, but not confusing) the OP. It's seriously just not that hard to teach someone that wrapping their form data retrievals in mysql_real_escape_string() is How You Do It. And every time you post code that just sucks it in raw, you teach them that that is How You Do it.

micknc: Though I hate to say that using unsanitized inputs is ever okay, in that situation, as long as the check for an authenticated session happens before anything else is allowed to interact with the database, all you need to do is sanitize the authentication process itself and you'll be okay (insofar as your users are trustworthy). That is, if all an unauthenticated user can actually touch is the authentication process, then that's what you most need to make sure is clean.

Re: Checkbox mayhem

Posted: Wed Aug 06, 2008 2:16 pm
by dajawu
This while loop displays a bunch of different items from a database with a checkbox for each item. One for accepting the item, the other for deleting the item. Note: I took out all excess code.

Code: Select all

 
while($row = mysql_fetch_row($result))
{
  echo "<td><input type=checkbox name=accept[row[0]]></td><td><input type=checkbox name=delete[$row[0]]</td></tr>";
}
 
This code deletes any item that the user checked delete:

Code: Select all

 
foreach($_POST['delete'] as $tmp => $value) 
{
  echo "ItemID ".$tmp." has been removed!<br>";    
  EmailBadNews($tmp);
  $sql = "DELETE FROM Items WHERE ItemID = $tmp LIMIT 1";
  $sql = mysql_query($sql) or die(mysql_error());
}
 
The only thing I/You have to add is you get a warning if none of the checkboxs are checked. I guess if you don't check them they don't come through $_POST['delete'], I thought they would just as off or something. Ohh well easy enough to add an if statement to check.

Re: Checkbox mayhem

Posted: Wed Aug 06, 2008 3:30 pm
by califdon
chaos wrote:I understand your motivations for doing that. I don't agree that it's a good idea. It teaches people to tack on security at the end. Which is like tacking on birth control at the end: it's a little late.
That's the best metaphor I've seen in quite a while! :mrgreen: