Page 1 of 2
Checkbox mayhem
Posted: Tue Aug 05, 2008 5:50 pm
by micknc
I am developing a tool for users to be able to print a pdf page dynamically. The problem I am having is thinking through the logic of the checkboxes. Let me tell you what happens and try and get some suggestions from you guys.
1. The user searches for a group of contacts. That search will return 10-30 contacts in a given area.
2. The user then clicks checkboxes beside the contact that he wants to send a letter to. (that could be all of them, half or just a few based on the history with the contact)
Now here is where I am not sure where to go. I will have multiple versions of the variable (the contact id). I thought about looping through them somehow to create the pdf (which has to be on one document with a new page for each contact).
My big problem is how do I recognize an ever changing number of the same variable? When I insert that variable into a query how will I get that query to loop through all the variables?
If I can get through the query I have the rest figured out but I am a little stuck. I am not asking you write a bunch of code for me. Just help talk me through the logic of how you would do this.
Thanks!
Re: Checkbox mayhem
Posted: Tue Aug 05, 2008 10:18 pm
by califdon
Sounds like a job for an array. In PHP you can keep adding elements to an array without worrying about the value of the index or any limit on the number of elements. Once you have filled the array, you can get the count of the number of elements. Using that, you can loop through multiple queries, or perhaps (if you're talking a max of maybe 30 contacts) just string them together and use a WHERE ... IN (...) clause in your query.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 1:35 am
by RobertGonzalez
If your checkboxes are passed as row ids in the table you are querying then you can do a simple select * from table where id IN ($_POST['rowids']) type of query.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 11:42 am
by micknc
Thanks for the direction guys,
I have a test form I am working on and it looks like this:
Code: Select all
echo "<form action='test_array.php' method='post'>";
echo "<input type=checkbox name=rowids[] value=AL150541>Mt. Pleasant";
echo "<input type=checkbox name=rowids[] value=WV800391>Oceana";
echo "<input type=checkbox name=rowids[] value=WV725151>MT. Hope";
echo "<input type=checkbox name=rowids[] value=WV750121>Dunlow";
echo "<input type='submit' value='Submit'/>";
Then the query looks like this:
Code: Select all
$connection=mysql_connect (localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$sql = "SELECT * FROM contacts WHERE id IN ($_POST['rowids'])";
$data = mysql_query($sql);
while($result = mysql_fetch_array( $data ))
I am getting the old "Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in /home/thedonah/public_html/fwbim/test_array.php"
I have tried about 20 different variations of the IN () statement. Do you see what I should do?
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 11:53 am
by RobertGonzalez
Before doing all that database connection stuff, try dumping the $_POST['rows'] var to see what is in it.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 11:57 am
by EverLearning
1) To access arrays in strings you have to encolse them in curly braces {} (thats why you get the error message)
2) $_POST['rowids'] is an array itself so you cant use it directly in your SQL query. You need to make it into a string
So it should look like this
Code: Select all
$rowids = join(", ", $_POST['rowids']);
$sql = "SELECT * FROM contacts WHERE id IN ({$rowids})";
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:26 pm
by micknc
I am getting this error:
Warning: join() [function.join]: Bad arguments. in /home/thedonah/public_html/fwbim/test_array.php on line 5
From this line:
Code: Select all
$rowids = join(", ", $_POST['rowids']);
Also I used
Code: Select all
print_r(array_values($$_POST['rowids']));
and got:
Array ( [0] => WV800391 [1] => WV725151 [2] => WV750121 )
which is accurate based on my test selection.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:36 pm
by EverLearning
Dump $_POST['rowids'] as Everah suggested. Use this and paste the results here:
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:40 pm
by micknc
array(3) { [0]=> string(8) "WV800391" [1]=> string(8) "WV725151" [2]=> string(8) "WV750121" }
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:44 pm
by RobertGonzalez
Now do this:
Code: Select all
<?php
$str = implode(',', $_POST['rowids']);
var_dump($str);
?>
And post back the results
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:44 pm
by chaos
You should only get that 'Bad arguments' error if no checkboxes were selected. (You'll need to account for that case in general.)
Everyone: for the love of God, please do not just let people keep writing
SQL-injection-vulnerable code.
micknc, you should do something like this:
Code: Select all
if(!isset($_POST['rowids']))
die('No selections made');
$connection = mysql_connect(localhost, $username, $password);
$db_selected = mysql_select_db($database, $connection);
$rowids_array = array();
foreach($_POST['rowids'] as $rowid)
$rowids_array[] = "'" . mysql_real_escape_string($rowid, $connection) . "'";
$rowids_string = join(', ', $rowids_array);
$sql = "SELECT * FROM contacts WHERE id IN ($rowids_string)";
The extra bits to do with the rowids will not only make your SQL query usable at all (since all previous versions depended on purely numeric keys, and you're using string keys), but stop every slightly knowledgeable hacker in the universe from being able to do whatever they like to your database.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:46 pm
by EverLearning
It looks OK to me. join() function should work just fine with that array. Could you post a more complete code snippet? Since it seems that you're executing that join(", ", $_POST['rowids']) event if it's empty, whether thats because no checkbox has been checked, or because user didn't submit the page.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:54 pm
by EverLearning
@chaos: We're just trying to guide him along until he reaches his goal, without confusing him too much, or doing all of his work for him. Yes, we KNOW that the code we provided is SQL injection vulnerable. At the end we would have told him something along the lines: "Now that you are acomplished what you wanted, you should know that this code is vulnerable, and that you should use this, and this, ans this, and read up on this topics ...".
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:57 pm
by RobertGonzalez
SQL injection prevention means nothing if he cannot wrap his mind around getting past the array to build a query. We will get to that, but he needs to get the basics down first.
Patience. We'll get to it.
Re: Checkbox mayhem
Posted: Wed Aug 06, 2008 12:59 pm
by chaos
I understand your motivations for doing that. I don't agree that it's a good idea. It teaches people to tack on security at the end. Which is like tacking on birth control at the end: it's a little late.