Page 1 of 1

need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 4:02 pm
by ernest1a
Please help me with this question. I have a profile page where user can edit his data. He can also add own titles. Beside every title is also check box. If checked, the value is yes.

I don't know how to move the value from each check box to table. The problem is that I can not get the value of $uTitle. To test if the value of it is there, I uncomment the 8th line. I have no idea why it doesn't echo $uTitle.

Second problem is, even if the value was saved, I don't know how to save it into table under column Privacy because under $key aren't just values of uTitle but also of ID.

Image

Code: Select all

 
<form action="<?=$_SERVER['PHP_SELF']?>" method="post">
        <table>
            <?php
            echo "
            <tr>
                <td>Title</td><td>Value</td><td>Privacy</td>
            </tr>";
            //echo $_POST[$uTitle];
            if (isset($_POST))  {
            foreach ($_POST as $key => $value )
               {
               mysql_query ("UPDATE titles SET uValue = '$value' WHERE ID ='$key'");
               }
               }
            $query =  "SELECT * FROM titles WHERE UserID = $ID";
            $result = mysql_query($query);
            $row = mysql_fetch_assoc($result);
            echo "<br /><b>Edit data:</b>  <br /><br />";
            while($row = mysql_fetch_assoc($result))
            {
            extract ($row);
            echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
            </tr>";
            }
            ?>
            <tr><td><input type="submit" value="Update"></td>
            </tr>
        </table>
    </form>
 

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 4:58 pm
by Skoalbasher
Your Post is wrong.. that's why

Code: Select all

 
echo $_POST['uTitle'];
 
That's how you should do it.

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 5:13 pm
by ernest1a
but $uTitle is a variable from extract ($row); and I used it as variable (name='$uTitle'), so you can not write it as string.

Code: Select all

 
     extract ($row);
     echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
 
 
 

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 5:29 pm
by Skoalbasher
ernest1a wrote:but $uTitle is a variable from extract ($row); and I used it as variable (name='$uTitle'), so you can not write it as string.

Code: Select all

 
     extract ($row);
     echo "
            <tr>
                <td><b>$uTitle</b></td>
                <td><input type='text' name='$ID' value='$uValue'></td>
                <td><input type='checkbox' name='$uTitle' value='yes'>
 
 
 
Yeah, But you are POSTING. Right? You get the data, put it in a form. When the user hits submit, that becomes a variable that you pull like $_POST['variable_without_a_$'];

Unless you have it declared further up. But whenever a form is posted, that's how you grab the info.

^^ The part above seems right. ^^

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 5:50 pm
by ernest1a
Thank you for trying to help me.

But it is already in variable before it is posted. That is the problem. It is a difference between

Code: Select all

<td><input type='checkbox' name='uTitle' value='yes'>
or

Code: Select all

<td><input type='checkbox' name='$uTitle' value='yes'>
If it would be like in the first case, you would be right, but it is like in the second.

I get from foreach statement for each uTitle different value from table. So for many rows in the same time different value of uTitle is moved into $_POST[]. And I use name='$uTitle' for each check box because I need to know to which uTitle each check box belong.

I don't know how to explain in a better way, please see the image and the code.

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 5:55 pm
by andym01480
The extract() is line 22 your

Code: Select all

//echo $_POST[$uTitle]
is line 8 -where it is still posted data if the form has been submitted. It only becomes $utitle after the extract() - which is a bad way of doing things, especially as you are not filtering or escaping the form data - which makes you in danger of people hacking your database
Entering

Code: Select all

Nick',DROP titles
in the form might cause you some problems!
Worse would be if someone created a form and then posted it to your web address

Code: Select all

<form action="your web address" method="post">
<input type="text name="',DROP titles"/>
<input type="submit" value="Update">
</form>
You are not checking the form field names or data and updating your database with them - so a form name ',DROP titles would loose your data, because it would become part of $key. Hackers could find out your password and do all sort of other things too.

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 6:02 pm
by jh_1981
<td><input type='checkbox' name='uTitle[]' value='yes'>
<?
$uTitle_array=$_POST['uTitle'];
?>

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 6:08 pm
by ernest1a
I am attaching a photo of table, so you can get the idea about it.
Image

Re: need a help with multi form and $_POST[]

Posted: Sat Jan 31, 2009 6:12 pm
by ernest1a
jh_1981 wrote:<td><input type='checkbox' name='uTitle[]' value='yes'>
<?
$uTitle_array=$_POST['uTitle'];
?>
Thanks but also that doesn't work. Maybe table image I posted will explain something more.

Re: need a help with multi form and $_POST[]

Posted: Sun Feb 01, 2009 4:33 am
by ernest1a
I just solved the problem. Thanks everybody trying to help me!

Code: Select all

 
   if (isset($_POST))  {
            foreach ($_POST as $key => $value )
               {
               if ($value=='yes' || $value=='no') {
               mysql_query ("UPDATE titles SET privacy='$value' WHERE uTitle='$key'"); }
               else {
               mysql_query ("UPDATE titles SET uValue = '$value' WHERE ID ='$key'");
               }
               }
               }
 

Re: need a help with multi form and $_POST[]

Posted: Sun Feb 01, 2009 5:12 am
by andym01480
Please at least escape using mysql_real_escape_string() on your user inputted data in the queries.

Re: need a help with multi form and $_POST[]

Posted: Mon Feb 02, 2009 10:25 am
by Skoalbasher
andym01480 wrote:Please at least escape using mysql_real_escape_string() on your user inputted data in the queries.
Does this take any sql out? I mean, what if the user decides to make the name "WHERE". Would it not take that? Does it make it ""?

I'm just wondering, because this seems like some important information to know.

Re: need a help with multi form and $_POST[]

Posted: Mon Feb 02, 2009 11:51 am
by andym01480
Really important! - There are some very silly people do some bad things. If you use user input data to go in a database and are not secure they could steal your password, delete it and do all sorts. If you send emails they can spam the world. If you output to browser user input, they can steal peoples cookies, passwords all sorts. 8O

Never trust anything from $_POST, $_GET, S_SESSION, $_REQUEST, even $_SERVER

You must always check that input is what it should be - Validating - ctype_alpha, ctype_digit and so on are helpful
And escape it - make it safe for output to the browser, database, email etc - htmlentities(), mysql_real_escape_string().

I found this resource a good start http://ilia.ws/files/phpworks_security.pdf
In your script you must wrap all user input that will go in a database with mysql_real_escape_string() and preferably do some validation too.

Re: need a help with multi form and $_POST[]

Posted: Mon Feb 02, 2009 11:59 am
by Skoalbasher
andym01480 wrote:Really important! - There are some very silly people do some bad things. If you use user input data to go in a database and are not secure they could steal your password, delete it and do all sorts. If you send emails they can spam the world. If you output to browser user input, they can steal peoples cookies, passwords all sorts. 8O

Never trust anything from $_POST, $_GET, S_SESSION, $_REQUEST, even $_SERVER

You must always check that input is what it should be - Validating - ctype_alpha, ctype_digit and so on are helpful
And escape it - make it safe for output to the browser, database, email etc - htmlentities(), mysql_real_escape_string().

I found this resource a good start http://ilia.ws/files/phpworks_security.pdf
In your script you must wrap all user input that will go in a database with mysql_real_escape_string() and preferably do some validation too.
That's awesome, thanks for the tip. I've been looking for something like that.