Populating form from database, then passing results to next page

I have a multiple select input in a form that's being populated by a row
from my database as such:
<input type=\"checkbox\" name=\"subm[]\" value=\"$row[ID]\">

That part is working fine as I can check the displayed page using View
Source and see that the value is the correct row number from the
database. It is then being submitted on a form by $_POST method to
another page where I want to evaluate the checkboxes and display the
contents of the entire row that corresponds to each value=\"$row[ID]\"
that have been checked. But I can't seem to get it to work. I'm having a
problem passing the selected value. Can someone point me in the right
direction?


$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";

foreach ($_POST['subm'] as $value) {
print "<tr><td>";
print "$row[ID];\n";
print mysql_field_name($result, 1) . ": " . $row[name]."<br>";
print mysql_field_name($result, 2) . ": " . $row[address]."<br>";
print mysql_field_name($result, 3) . ": " . $row[city]."<br>";
print "</td></tr>";
print "</table>\n";
}

if (!isset($_POST['subm'])){
print "<p>No matching entry ";
}

mysql_close();

re: Populating form from database, then passing results to next page

On Wed, 2006-04-05 at 19:55 -0400, JackM wrote:[color=blue]
> I have a multiple select input in a form that's being populated by a row
> from my database as such:
> <input type=\"checkbox\" name=\"subm[]\" value=\"$row[ID]\">
>
> That part is working fine as I can check the displayed page using View
> Source and see that the value is the correct row number from the
> database. It is then being submitted on a form by $_POST method to
> another page where I want to evaluate the checkboxes and display the
> contents of the entire row that corresponds to each value=\"$row[ID]\"
> that have been checked. But I can't seem to get it to work. I'm having a
> problem passing the selected value. Can someone point me in the right
> direction?
>
>
> $query = ("SELECT * FROM `table`");
> $result = mysql_query($query);
>
> print "<p>Data for Selections:";
> print "<table border=2><tr><th>You chose:";
>[/color]

Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) {[color=blue]
> print "<tr><td>";
> print "{$row['ID']}\n";
> print mysql_field_name($result, 1) . ": " . $row['name']."<br>";
> print mysql_field_name($result, 2) . ": " . $row['address']."<br>";
> print mysql_field_name($result, 3) . ": " . $row['city']."<br>";
> print "</td></tr>";
> print "</table>\n";[/color]
}
}[color=blue]
> if (!isset($_POST['subm'])){
> print "<p>No matching entry ";
> }
>
> mysql_close();[/color]

re: Populating form from database, then passing results to next page

Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
contained the following:
[color=blue][color=green]
>> $query = ("SELECT * FROM `table`");
>> $result = mysql_query($query);
>>
>> print "<p>Data for Selections:";
>> print "<table border=2><tr><th>You chose:";
>>[/color]
>
>Try this instead (notice the quotes around array keys):
>
>while($row = mysql_fetch_array($result)) {
> if(in_array(strval($row['ID']), $_POST['subm'])) {[/color]

Alternatively, just get the rows you want from the database.

$ids=implode(",",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
//print rows
}
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

re: Populating form from database, then passing results to next page

On Thu, 2006-04-06 at 08:43 +0100, Geoff Berrow wrote:[color=blue]
> Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
> contained the following:
>[color=green][color=darkred]
> >> $query = ("SELECT * FROM `table`");
> >> $result = mysql_query($query);
> >>
> >> print "<p>Data for Selections:";
> >> print "<table border=2><tr><th>You chose:";
> >>[/color]
> >
> >Try this instead (notice the quotes around array keys):
> >
> >while($row = mysql_fetch_array($result)) {
> > if(in_array(strval($row['ID']), $_POST['subm'])) {[/color]
>
> Alternatively, just get the rows you want from the database.
>
> $ids=implode(",",$_POST['subm']);
> $query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
> $result = mysql_query($query);
> while($row = mysql_fetch_array($result)) {
> //print rows
> }[/color]

I like this way better.

re: Populating form from database, then passing results to next page

Geoff Berrow wrote:
[color=blue]
> Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
> contained the following:
>[color=green][color=darkred]
>>> $query = ("SELECT * FROM `table`");
>>> $result = mysql_query($query);
>>>
>>> print "<p>Data for Selections:";
>>> print "<table border=2><tr><th>You chose:";
>>>[/color]
>>
>>Try this instead (notice the quotes around array keys):
>>
>>while($row = mysql_fetch_array($result)) {
>> if(in_array(strval($row['ID']), $_POST['subm'])) {[/color]
>
> Alternatively, just get the rows you want from the database.
>
> $ids=implode(",",$_POST['subm']);
> $query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
> $result = mysql_query($query);
> while($row = mysql_fetch_array($result)) {
> //print rows
> }[/color]

Just a security remark:

Is this approach safe for SQL-injection?
Bad guys might send other stuff in the subm-array than numbers...

I am always better safe than sorry, and loop over the results, parse them,
and then feed them to the query.

Something like this:
$id = array();
foreach($_POST["subm"] as $oneNum){
$id[] = (int)$oneNum;
}
$ids = implode(",",$id);
$query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
etc..

A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.

Regards,
Erwin Moller

re: Populating form from database, then passing results to next page

Erwin Moller wrote:[color=blue]
> Geoff Berrow wrote:
>
>[color=green]
>>Message-ID: <1144283421.2806.13.camel@localhost.localdomain> from Scott
>>contained the following:
>>
>>[color=darkred]
>>>>$query = ("SELECT * FROM `table`");
>>>>$result = mysql_query($query);
>>>>
>>>>print "<p>Data for Selections:";
>>>>print "<table border=2><tr><th>You chose:";
>>>>
>>>
>>>Try this instead (notice the quotes around array keys):
>>>
>>>while($row = mysql_fetch_array($result)) {
>>>if(in_array(strval($row['ID']), $_POST['subm'])) {[/color]
>>
>>Alternatively, just get the rows you want from the database.
>>
>>$ids=implode(",",$_POST['subm']);
>>$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
>>$result = mysql_query($query);
>>while($row = mysql_fetch_array($result)) {
>>//print rows
>>}[/color]
>
>
> Just a security remark:
>
> Is this approach safe for SQL-injection?
> Bad guys might send other stuff in the subm-array than numbers...
>
> I am always better safe than sorry, and loop over the results, parse them,
> and then feed them to the query.
>
> Something like this:
> $id = array();
> foreach($_POST["subm"] as $oneNum){
> $id[] = (int)$oneNum;
> }
> $ids = implode(",",$id);
> $query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
> etc..
>
> A little bit slower probably, but at least the $id[] and the corresponding
> $ids string contains only numbers.[/color]

Just a question on this way to further my own learning process. Does the
fact that the $_POST['subm'] array is dynamically done on the previous
page prevent one from using it for injection? It's not something that
requires a user to fill in any text info for. It's only a checkbox that
gets checked.

Incidentally, thanks to Scott and Geoff for their solutions. I used
Scott's as I saw it first, tried it and it works just fine. Much obliged
to both of you and to Erwin as well for the assistance.

re: Populating form from database, then passing results to next page

Message-ID: <4KednVLqV7JkS6jZnZ2dnUVZ_sydnZ2d@comcast.com> from JackM
contained the following:
[color=blue][color=green]
>> A little bit slower probably, but at least the $id[] and the corresponding
>> $ids string contains only numbers.[/color]
>
>Just a question on this way to further my own learning process. Does the
>fact that the $_POST['subm'] array is dynamically done on the previous
>page prevent one from using it for injection? It's not something that
>requires a user to fill in any text info for. It's only a checkbox that
>gets checked.[/color]

yes, Erwin is right, user supplied data should ALWAYS be checked before
being used in a query.

There is nothing stopping me downloading your form with checkboxes and
then editing the html to make them send different values. Erwins
solution checks the 'type' of data that is being returned. Other
methods may check that the data is within a range of values that is
acceptable. (for instance you may only want the user to be able to edit
a certain range of ids)

if your id was not an integer you could do this:

foreach($_POST["subm"] as $oneNum){
$id[] = mysql_real_escape_string($oneNum);
}

In fact, I can't immediately see why you should not do
$ids=mysql_real_escape_string(implode(",",$_POST['subm']));

as in my original solution.

Anyone see a problem with that?

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/