By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
440,480 Members | 1,146 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 440,480 IT Pros & Developers. It's quick & easy.

Help with $_POST and $_SERVER['PHP_SELF'] please.

P: n/a
I am using values stored an $_POST array to display records from a table before
asking the user if he is sure he wants to delete them. If the user confirms then
the records are deleted. Without boring you with all of the code here is the
rough idea.

<?php
$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
if (!isset($_POST['submit'])) {
// Then display the records that were marked for deletion
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p align="center"><font face="Arial" size="2"><b>Are you sure you wish to
continue?</b></font></p>
<p align="center"><input type="submit" name="submit" value="Yes I want to delete
these records"></p>
</form>
<?php
}
else {
$query2="DELETE FROM Catalogue WHERE $delete";
mysql_query($query2) or die("Failed Query of " . $query2);
echo "Your records were successfully deleted";
}

Everything works fine up to the point where the user confirms that he wants to
delete the records. Then I get a failed delete query message as follows:

Warning: implode(): Bad arguments. in
mywebsite\user\htdocs\deleteselectedrecords.php on line 17
Failed Query of DELETE FROM Catalogue WHERE ( id = )

Since there are no values for id I can only assume that the original array held
within $_POST['delete'] is no longer stored when the page is refreshed after the
user has confirmed that he wants to delete the records. That being the case how
can I best code the page so that I can use an array in both instances. I'm
hazarding a guess that I may have to pass the array on by using something like
<input='hidden' etc etc>. That being the case how do I do that or is there a
better way of achieving my objective?

Hope that all makes sense.
Regards
Dynamo

May 19 '06 #1
Share this Question
Share on Google+
7 Replies


P: n/a
>I am using values stored an $_POST array to display records from a table before
asking the user if he is sure he wants to delete them. If the user confirms then
the records are deleted. Without boring you with all of the code here is the
rough idea.
You get a new $_POST on each form submission. You do not get
stuff left over from the previous form submission in it.
Since there are no values for id I can only assume that the original array held
within $_POST['delete'] is no longer stored when the page is refreshed after the
user has confirmed that he wants to delete the records. That being the case how
This is the way it's supposed to work. You shouldn't have left-over
crap from previous form submissions. Considering that some of that
data might be credit card numbers or passwords, that would be a horrible
insecurity.
can I best code the page so that I can use an array in both instances. I'm
hazarding a guess that I may have to pass the array on by using something like
<input='hidden' etc etc>. That being the case how do I do that or is there a
better way of achieving my objective?


Two possibilities are (1) store the ID in the session, or (2) put
the ID in a hidden field in the confirmation page form, so it shows
up in the new $_POST. Since it goes through the browser, remember
that this value can be hacked.

Always remember that you need to check whether the user has the
authority to delete the record *AT THE TIME THE CONFIRMATION IS
SUBMITTED*. You checked when generating the confirmation page?
Great, but that alone is not good enough.

Gordon L. Burditt
May 19 '06 #2

P: n/a
Dynamos comments are totally valid, but on the basis that you stripped all
that stuff out, you just need to add a hidden input here to make it work...

(Note: Example typed and not tested)
<?php
$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
if (!isset($_POST['submit']))
{
// Then display the records that were marked for deletion ?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
** Hidden input here **
<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
<p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
continue?</b></font></p>
<p align="center"><input type="submit" name="submit" value="Yes I want
to delete these records"></p>
</form>


[snip]
Cheers,

Ben
May 20 '06 #3

P: n/a
I kinda guessed that if I used a new php page that the original $_POST array
would be lost. However, I mistakenly thought that if I used $_SERVER['PHP_SELF']
as the action for the form that the array would still be stored. It appears that
that is not the case. So the problem remains of how to EASILY pass the array
from the first page to the next. I had already tried using

<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">

but it didn't work. When I debugged by using

<?php
echo "<pre>\n";
print_r($_POST['delete']);
echo "</pre>\n";
?>

on the second page all I got was the word "Array", hence when that was inserted
into the delete query I got

$query1 = "DELETE FROM Catalogue WHERE id = Array"

So I'm hazarding another guess that my hidden field input should be something
morelike this
<?php
for each (value stored in the array){
?>
<input type="hidden" name="delete[]" value="<?php echo (value stored in array);
?>">
<?php
}
?>

Only problem is I'm not sure what goes into the (value stored in array) part of
the code. Any help greatly appreciated. Is there an easier way of passing the
array?

Regards
Dynamo

In article <pa***************************@bens-house.org.uk>, Ben Holness
says...

Dynamos comments are totally valid, but on the basis that you stripped all
that stuff out, you just need to add a hidden input here to make it work...

(Note: Example typed and not tested)
<?php
$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
if (!isset($_POST['submit']))
{
// Then display the records that were marked for deletion ?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">


** Hidden input here **
<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
<p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
continue?</b></font></p>
<p align="center"><input type="submit" name="submit" value="Yes I want
to delete these records"></p>
</form>


[snip]
Cheers,

Ben


May 20 '06 #4

P: n/a
Try this,

<?php
foreach ($_REQUEST['delete'] as $val){
?>
<input type="hidden" name="delete[]" value="<?php echo $val; ?>">
<?php
}
?>

Otherwise you can use sessions as Gordon mentions, which is more secure;

At the top of each page add the line

session_start();

When you get the delete array, add it to the session

$_SESSION['deleteArray']=$_REQUEST['delete'];

When you actually want to delete the items, use $_SESSION['deleteArray']

More information under sessions at php.net

Ben
May 20 '06 #5

P: n/a
Dynamo wrote:
I kinda guessed that if I used a new php page that the original $_POST array
would be lost. However, I mistakenly thought that if I used $_SERVER['PHP_SELF']
as the action for the form that the array would still be stored. It appears that
that is not the case. So the problem remains of how to EASILY pass the array
from the first page to the next. I had already tried using

<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">

but it didn't work. When I debugged by using

<?php
echo "<pre>\n";
print_r($_POST['delete']);
echo "</pre>\n";
?>

on the second page all I got was the word "Array", hence when that was inserted
into the delete query I got

$query1 = "DELETE FROM Catalogue WHERE id = Array"

So I'm hazarding another guess that my hidden field input should be something
morelike this
<?php
for each (value stored in the array){
?>
<input type="hidden" name="delete[]" value="<?php echo (value stored in array);
?>">
<?php
}
?>

Only problem is I'm not sure what goes into the (value stored in array) part of
the code. Any help greatly appreciated. Is there an easier way of passing the
array?

Regards
Dynamo

In article <pa***************************@bens-house.org.uk>, Ben Holness
says...
Dynamos comments are totally valid, but on the basis that you stripped all
that stuff out, you just need to add a hidden input here to make it work...

(Note: Example typed and not tested)

<?php
$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
if (!isset($_POST['submit']))
{
// Then display the records that were marked for deletion ?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">


** Hidden input here **
<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
<p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
continue?</b></font></p>
<p align="center"><input type="submit" name="submit" value="Yes I want
to delete these records"></p>
</form>


[snip]
Cheers,

Ben



Ben,

The problem here is:

value="<?php echo $_POST['delete'];

If $_POST['delete'] is an array, the result will be

value="Array"

in your page. You can see that if you view the source code for your page in
your browser.

Since $_POST['delete'] is an array, you have a couple of choices. You can
serialize the array before storing it, then use htmlentities() in case you have
other chars in the string (i.e. a " mark).

The way I prefer is to store it in the session. Just call session_start() at
the beginning of each page where you need sessions (before ANY output -
including whitespace - is generated) and store it in the session, i.s.

<?php
start_session();
(perhaps other stuff here, i.e. validation code)
$_SESSION['delete'] = $_POST['delete'];
?>

Then the next time through you can get it from $_SESSION['delete'].

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
May 20 '06 #6

P: n/a
Many thanks. Apart from a couple of false starts everything is now OK. First
time I tried your code I simply copied and pasted it and ended up with an
unknown function error. Although you correctly call it session_start() to begin
with, in the actual sample code you called it start_session(). Second time I
tried it I got a couple of warnings that headers had already been sent and that
the session could not be started. That was because I hadn't called the function
at the ABSOLUTE beginning of the page. I had

<?php
include("connect.php");
session_start();
?>

But when I changed it to

<?php
session_start();
include("connect.php");
?>

Everything was honky dory. I guess a little bit always needs to be left to the
programmer to sort out eh? :-)

Many thanks to all those that helped with this posting

Dynamo


In article <F9******************************@comcast.com>, Jerry Stuckle says...
The way I prefer is to store it in the session. Just call session_start() at
the beginning of each page where you need sessions (before ANY output -
including whitespace - is generated) and store it in the session, i.s.

<?php
start_session();
(perhaps other stuff here, i.e. validation code)
$_SESSION['delete'] = $_POST['delete'];
?>

Then the next time through you can get it from $_SESSION['delete'].


May 20 '06 #7

P: n/a
Dynamo wrote:
Many thanks. Apart from a couple of false starts everything is now OK. First
time I tried your code I simply copied and pasted it and ended up with an
unknown function error. Although you correctly call it session_start() to begin
with, in the actual sample code you called it start_session(). Second time I
tried it I got a couple of warnings that headers had already been sent and that
the session could not be started. That was because I hadn't called the function
at the ABSOLUTE beginning of the page. I had

<?php
include("connect.php");
session_start();
?>

But when I changed it to

<?php
session_start();
include("connect.php");
?>

Everything was honky dory. I guess a little bit always needs to be left to the
programmer to sort out eh? :-)

Many thanks to all those that helped with this posting

Dynamo


In article <F9******************************@comcast.com>, Jerry Stuckle says...

The way I prefer is to store it in the session. Just call session_start() at
the beginning of each page where you need sessions (before ANY output -
including whitespace - is generated) and store it in the session, i.s.

<?php
start_session();
(perhaps other stuff here, i.e. validation code)
$_SESSION['delete'] = $_POST['delete'];
?>

Then the next time through you can get it from $_SESSION['delete'].



Sorry about the function name. I guess I shouldn't post before my first pot of
coffee :-).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================
May 21 '06 #8

This discussion thread is closed

Replies have been disabled for this discussion.