467,081 Members | 958 Online
Bytes | Developer Community
Ask Question

Home New Posts Topics Members FAQ

Post your question to a community of 467,081 developers. It's quick & easy.

Populating form from database, then passing results to next page

I have a multiple select input in a form that's being populated by a row
from my database as such:
<input type=\"checkbox\" name=\"subm[]\" value=\"$row[ID]\">

That part is working fine as I can check the displayed page using View
Source and see that the value is the correct row number from the
database. It is then being submitted on a form by $_POST method to
another page where I want to evaluate the checkboxes and display the
contents of the entire row that corresponds to each value=\"$row[ID]\"
that have been checked. But I can't seem to get it to work. I'm having a
problem passing the selected value. Can someone point me in the right
direction?
$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";

foreach ($_POST['subm'] as $value) {
print "<tr><td>";
print "$row[ID];\n";
print mysql_field_name($result, 1) . ": " . $row[name]."<br>";
print mysql_field_name($result, 2) . ": " . $row[address]."<br>";
print mysql_field_name($result, 3) . ": " . $row[city]."<br>";
print "</td></tr>";
print "</table>\n";
}

if (!isset($_POST['subm'])){
print "<p>No matching entry ";
}

mysql_close();
Apr 6 '06 #1
  • viewed: 2097
Share:
6 Replies
On Wed, 2006-04-05 at 19:55 -0400, JackM wrote:
I have a multiple select input in a form that's being populated by a row
from my database as such:
<input type=\"checkbox\" name=\"subm[]\" value=\"$row[ID]\">

That part is working fine as I can check the displayed page using View
Source and see that the value is the correct row number from the
database. It is then being submitted on a form by $_POST method to
another page where I want to evaluate the checkboxes and display the
contents of the entire row that corresponds to each value=\"$row[ID]\"
that have been checked. But I can't seem to get it to work. I'm having a
problem passing the selected value. Can someone point me in the right
direction?
$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";

Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) { print "<tr><td>";
print "{$row['ID']}\n";
print mysql_field_name($result, 1) . ": " . $row['name']."<br>";
print mysql_field_name($result, 2) . ": " . $row['address']."<br>";
print mysql_field_name($result, 3) . ": " . $row['city']."<br>";
print "</td></tr>";
print "</table>\n"; }
} if (!isset($_POST['subm'])){
print "<p>No matching entry ";
}

mysql_close();


Apr 6 '06 #2
Message-ID: <11**********************@localhost.localdomain> from Scott
contained the following:
$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";


Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) {


Alternatively, just get the rows you want from the database.

$ids=implode(",",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
//print rows
}
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Apr 6 '06 #3
On Thu, 2006-04-06 at 08:43 +0100, Geoff Berrow wrote:
Message-ID: <11**********************@localhost.localdomain> from Scott
contained the following:
$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";


Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) {


Alternatively, just get the rows you want from the database.

$ids=implode(",",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
//print rows
}


I like this way better.

Apr 6 '06 #4
Geoff Berrow wrote:
Message-ID: <11**********************@localhost.localdomain> from Scott
contained the following:
$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";


Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) {


Alternatively, just get the rows you want from the database.

$ids=implode(",",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
//print rows
}


Just a security remark:

Is this approach safe for SQL-injection?
Bad guys might send other stuff in the subm-array than numbers...

I am always better safe than sorry, and loop over the results, parse them,
and then feed them to the query.

Something like this:
$id = array();
foreach($_POST["subm"] as $oneNum){
$id[] = (int)$oneNum;
}
$ids = implode(",",$id);
$query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
etc..

A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.

Regards,
Erwin Moller
Apr 6 '06 #5
Erwin Moller wrote:
Geoff Berrow wrote:

Message-ID: <11**********************@localhost.localdomain> from Scott
contained the following:

$query = ("SELECT * FROM `table`");
$result = mysql_query($query);

print "<p>Data for Selections:";
print "<table border=2><tr><th>You chose:";
Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_array($result)) {
if(in_array(strval($row['ID']), $_POST['subm'])) {


Alternatively, just get the rows you want from the database.

$ids=implode(",",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($query);
while($row = mysql_fetch_array($result)) {
//print rows
}

Just a security remark:

Is this approach safe for SQL-injection?
Bad guys might send other stuff in the subm-array than numbers...

I am always better safe than sorry, and loop over the results, parse them,
and then feed them to the query.

Something like this:
$id = array();
foreach($_POST["subm"] as $oneNum){
$id[] = (int)$oneNum;
}
$ids = implode(",",$id);
$query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
etc..

A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.


Just a question on this way to further my own learning process. Does the
fact that the $_POST['subm'] array is dynamically done on the previous
page prevent one from using it for injection? It's not something that
requires a user to fill in any text info for. It's only a checkbox that
gets checked.

Incidentally, thanks to Scott and Geoff for their solutions. I used
Scott's as I saw it first, tried it and it works just fine. Much obliged
to both of you and to Erwin as well for the assistance.
Apr 7 '06 #6
Message-ID: <4K******************************@comcast.com> from JackM
contained the following:
A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.


Just a question on this way to further my own learning process. Does the
fact that the $_POST['subm'] array is dynamically done on the previous
page prevent one from using it for injection? It's not something that
requires a user to fill in any text info for. It's only a checkbox that
gets checked.


yes, Erwin is right, user supplied data should ALWAYS be checked before
being used in a query.

There is nothing stopping me downloading your form with checkboxes and
then editing the html to make them send different values. Erwins
solution checks the 'type' of data that is being returned. Other
methods may check that the data is within a range of values that is
acceptable. (for instance you may only want the user to be able to edit
a certain range of ids)

if your id was not an integer you could do this:

foreach($_POST["subm"] as $oneNum){
$id[] = mysql_real_escape_string($oneNum);
}

In fact, I can't immediately see why you should not do
$ids=mysql_real_escape_string(implode(",",$_POST['subm']));

as in my original solution.

Anyone see a problem with that?

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/
Apr 7 '06 #7

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

3 posts views Thread by Mike Cocker | last post: by
3 posts views Thread by Suzanne | last post: by
10 posts views Thread by Noozer | last post: by
reply views Thread by Mark | last post: by
26 posts views Thread by Jerim79 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.