need a help with multi form and $_POST[]

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

need a help with multi form and $_POST[]

Post by ernest1a »

Please help me with this question. I have a profile page where user can edit his data. He can also add own titles. Beside every title is also check box. If checked, the value is yes.

I don't know how to move the value from each check box to table. The problem is that I can not get the value of $uTitle. To test if the value of it is there, I uncomment the 8th line. I have no idea why it doesn't echo $uTitle.

Second problem is, even if the value was saved, I don't know how to save it into table under column Privacy because under $key aren't just values of uTitle but also of ID.

Image

Code: Select all

 
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
        <table>
            <?php
            echo "
            <tr>
                <td>Title</td><td>Value</td><td>Privacy</td>
            </tr>";
            //echo $_POST[$uTitle];
            if (isset($_POST))  {
            foreach ($_POST as $key => $value )
               {
               mysql_query ("UPDATE titles SET uValue = '$value' WHERE ID ='$key'");
               }
               }
            $query =  "SELECT * FROM titles WHERE UserID = $ID";
            $result = mysql_query($query);
            $row = mysql_fetch_assoc($result);
            echo "<br /><b>Edit data:</b>  <br /><br />";
            while($row = mysql_fetch_assoc($result))
            {
            extract ($row);
            echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
            </tr>";
            }
            ?>
            <tr><td><input type="submit" value="Update"></td>
            </tr>
        </table>
    </form>
 
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: need a help with multi form and $_POST[]

Post by Skoalbasher »

Your Post is wrong.. that's why

Code: Select all

 
echo $_POST['uTitle'];
 
That's how you should do it.
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

Re: need a help with multi form and $_POST[]

Post by ernest1a »

but $uTitle is a variable from extract ($row); and I used it as variable (name='$uTitle'), so you can not write it as string.

Code: Select all

 
     extract ($row);
     echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
 
 
 
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: need a help with multi form and $_POST[]

Post by Skoalbasher »

ernest1a wrote:but $uTitle is a variable from extract ($row); and I used it as variable (name='$uTitle'), so you can not write it as string.

Code: Select all

 
     extract ($row);
     echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
 
 
 
Yeah, But you are POSTING. Right? You get the data, put it in a form. When the user hits submit, that becomes a variable that you pull like $_POST['variable_without_a_$'];

Unless you have it declared further up. But whenever a form is posted, that's how you grab the info.

^^ The part above seems right. ^^
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

Re: need a help with multi form and $_POST[]

Post by ernest1a »

Thank you for trying to help me.

But it is already in variable before it is posted. That is the problem. It is a difference between

Code: Select all

<td><input type='checkbox' name='uTitle' value='yes'>
or

Code: Select all

<td><input type='checkbox' name='$uTitle' value='yes'>
If it would be like in the first case, you would be right, but it is like in the second.

I get from foreach statement for each uTitle different value from table. So for many rows in the same time different value of uTitle is moved into $_POST[]. And I use name='$uTitle' for each check box because I need to know to which uTitle each check box belong.

I don't know how to explain in a better way, please see the image and the code.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: need a help with multi form and $_POST[]

Post by andym01480 »

The extract() is line 22 your

Code: Select all

//echo $_POST[$uTitle]
is line 8 -where it is still posted data if the form has been submitted. It only becomes $utitle after the extract() - which is a bad way of doing things, especially as you are not filtering or escaping the form data - which makes you in danger of people hacking your database
Entering

Code: Select all

Nick',DROP titles
in the form might cause you some problems!
Worse would be if someone created a form and then posted it to your web address

Code: Select all

<form action="your web address" method="post">
<input type="text name="',DROP titles"/>
<input type="submit" value="Update">
</form>
You are not checking the form field names or data and updating your database with them - so a form name ',DROP titles would loose your data, because it would become part of $key. Hackers could find out your password and do all sort of other things too.
jh_1981
Forum Newbie
Posts: 22
Joined: Fri Jan 30, 2009 6:21 pm

Re: need a help with multi form and $_POST[]

Post by jh_1981 »

<td><input type='checkbox' name='uTitle[]' value='yes'>
<?
$uTitle_array=$_POST['uTitle'];
?>
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

Re: need a help with multi form and $_POST[]

Post by ernest1a »

I am attaching a photo of table, so you can get the idea about it.
Image
Last edited by ernest1a on Sat Jan 31, 2009 6:32 pm, edited 1 time in total.
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

Re: need a help with multi form and $_POST[]

Post by ernest1a »

jh_1981 wrote:<td><input type='checkbox' name='uTitle[]' value='yes'>
<?
$uTitle_array=$_POST['uTitle'];
?>
Thanks but also that doesn't work. Maybe table image I posted will explain something more.
ernest1a
Forum Newbie
Posts: 13
Joined: Tue Dec 16, 2008 6:25 am

Re: need a help with multi form and $_POST[]

Post by ernest1a »

I just solved the problem. Thanks everybody trying to help me!

Code: Select all

 
   if (isset($_POST))  {
            foreach ($_POST as $key => $value )
               {
               if ($value=='yes' || $value=='no') {
               mysql_query ("UPDATE titles SET privacy='$value' WHERE uTitle='$key'"); }
               else {
               mysql_query ("UPDATE titles SET uValue = '$value' WHERE ID ='$key'");
               }
               }
               }
 
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: need a help with multi form and $_POST[]

Post by andym01480 »

Please at least escape using mysql_real_escape_string() on your user inputted data in the queries.
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: need a help with multi form and $_POST[]

Post by Skoalbasher »

andym01480 wrote:Please at least escape using mysql_real_escape_string() on your user inputted data in the queries.
Does this take any sql out? I mean, what if the user decides to make the name "WHERE". Would it not take that? Does it make it ""?

I'm just wondering, because this seems like some important information to know.
User avatar
andym01480
Forum Contributor
Posts: 390
Joined: Wed Apr 19, 2006 5:01 pm

Re: need a help with multi form and $_POST[]

Post by andym01480 »

Really important! - There are some very silly people do some bad things. If you use user input data to go in a database and are not secure they could steal your password, delete it and do all sorts. If you send emails they can spam the world. If you output to browser user input, they can steal peoples cookies, passwords all sorts. 8O

Never trust anything from $_POST, $_GET, S_SESSION, $_REQUEST, even $_SERVER

You must always check that input is what it should be - Validating - ctype_alpha, ctype_digit and so on are helpful
And escape it - make it safe for output to the browser, database, email etc - htmlentities(), mysql_real_escape_string().

I found this resource a good start http://ilia.ws/files/phpworks_security.pdf
In your script you must wrap all user input that will go in a database with mysql_real_escape_string() and preferably do some validation too.
User avatar
Skoalbasher
Forum Contributor
Posts: 147
Joined: Thu Feb 07, 2008 8:09 pm

Re: need a help with multi form and $_POST[]

Post by Skoalbasher »

andym01480 wrote:Really important! - There are some very silly people do some bad things. If you use user input data to go in a database and are not secure they could steal your password, delete it and do all sorts. If you send emails they can spam the world. If you output to browser user input, they can steal peoples cookies, passwords all sorts. 8O

Never trust anything from $_POST, $_GET, S_SESSION, $_REQUEST, even $_SERVER

You must always check that input is what it should be - Validating - ctype_alpha, ctype_digit and so on are helpful
And escape it - make it safe for output to the browser, database, email etc - htmlentities(), mysql_real_escape_string().

I found this resource a good start http://ilia.ws/files/phpworks_security.pdf
In your script you must wrap all user input that will go in a database with mysql_real_escape_string() and preferably do some validation too.
That's awesome, thanks for the tip. I've been looking for something like that.
Post Reply