Populating form from database, then passing results to next page

Re: Populating form from database, then passing results to nextpage

On Wed, 2006-04-05 at 19:55 -0400, JackM wrote:[color=blue]
> I have a multiple select input in a form that's being populated by a row
> from my database as such:
> <input type=\"checkbox \" name=\"subm[]\" value=\"$row[ID]\">
>
> That part is working fine as I can check the displayed page using View
> Source and see that the value is the correct row number from the
> database. It is then being submitted on a form by $_POST method to
> another page where I want to evaluate the checkboxes and display the
> contents of the entire row that corresponds to each value=\"$row[ID]\"
> that have been checked. But I can't seem to get it to work. I'm having a
> problem passing the selected value. Can someone point me in the right
> direction?
>
>
> $query = ("SELECT * FROM `table`");
> $result = mysql_query($qu ery);
>
> print "<p>Data for Selections:";
> print "<table border=2><tr><t h>You chose:";
>[/color]

Try this instead (notice the quotes around array keys):

while($row = mysql_fetch_arr ay($result)) {
if(in_array(str val($row['ID']), $_POST['subm'])) {[color=blue]
> print "<tr><td>";
> print "{$row['ID']}\n";
> print mysql_field_nam e($result, 1) . ": " . $row['name']."<br>";
> print mysql_field_nam e($result, 2) . ": " . $row['address']."<br>";
> print mysql_field_nam e($result, 3) . ": " . $row['city']."<br>";
> print "</td></tr>";
> print "</table>\n";[/color]
}
}[color=blue]
> if (!isset($_POST['subm'])){
> print "<p>No matching entry ";
> }
>
> mysql_close();[/color]

Re: Populating form from database, then passing results to next page

Message-ID: <1144283421.280 6.13.camel@loca lhost.localdoma in> from Scott
contained the following:
[color=blue][color=green]
>> $query = ("SELECT * FROM `table`");
>> $result = mysql_query($qu ery);
>>
>> print "<p>Data for Selections:";
>> print "<table border=2><tr><t h>You chose:";
>>[/color]
>
>Try this instead (notice the quotes around array keys):
>
>while($row = mysql_fetch_arr ay($result)) {
> if(in_array(str val($row['ID']), $_POST['subm'])) {[/color]

Alternatively, just get the rows you want from the database.

$ids=implode(", ",$_POST['subm']);
$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
$result = mysql_query($qu ery);
while($row = mysql_fetch_arr ay($result)) {
//print rows
}
--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/

Re: Populating form from database, then passing results to nextpage

On Thu, 2006-04-06 at 08:43 +0100, Geoff Berrow wrote:[color=blue]
> Message-ID: <1144283421.280 6.13.camel@loca lhost.localdoma in> from Scott
> contained the following:
>[color=green][color=darkred]
> >> $query = ("SELECT * FROM `table`");
> >> $result = mysql_query($qu ery);
> >>
> >> print "<p>Data for Selections:";
> >> print "<table border=2><tr><t h>You chose:";
> >>[/color]
> >
> >Try this instead (notice the quotes around array keys):
> >
> >while($row = mysql_fetch_arr ay($result)) {
> > if(in_array(str val($row['ID']), $_POST['subm'])) {[/color]
>
> Alternatively, just get the rows you want from the database.
>
> $ids=implode(", ",$_POST['subm']);
> $query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
> $result = mysql_query($qu ery);
> while($row = mysql_fetch_arr ay($result)) {
> //print rows
> }[/color]

I like this way better.

Re: Populating form from database, then passing results to next page

Geoff Berrow wrote:
[color=blue]
> Message-ID: <1144283421.280 6.13.camel@loca lhost.localdoma in> from Scott
> contained the following:
>[color=green][color=darkred]
>>> $query = ("SELECT * FROM `table`");
>>> $result = mysql_query($qu ery);
>>>
>>> print "<p>Data for Selections:";
>>> print "<table border=2><tr><t h>You chose:";
>>>[/color]
>>
>>Try this instead (notice the quotes around array keys):
>>
>>while($row = mysql_fetch_arr ay($result)) {
>> if(in_array(str val($row['ID']), $_POST['subm'])) {[/color]
>
> Alternatively, just get the rows you want from the database.
>
> $ids=implode(", ",$_POST['subm']);
> $query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
> $result = mysql_query($qu ery);
> while($row = mysql_fetch_arr ay($result)) {
> //print rows
> }[/color]

Just a security remark:

Is this approach safe for SQL-injection?
Bad guys might send other stuff in the subm-array than numbers...

I am always better safe than sorry, and loop over the results, parse them,
and then feed them to the query.

Something like this:
$id = array();
foreach($_POST["subm"] as $oneNum){
$id[] = (int)$oneNum;
}
$ids = implode(",",$id );
$query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
etc..

A little bit slower probably, but at least the $id[] and the corresponding
$ids string contains only numbers.

Regards,
Erwin Moller

Re: Populating form from database, then passing results to nextpage

Erwin Moller wrote:[color=blue]
> Geoff Berrow wrote:
>
>[color=green]
>>Message-ID: <1144283421.280 6.13.camel@loca lhost.localdoma in> from Scott
>>contained the following:
>>
>>[color=darkred]
>>>>$query = ("SELECT * FROM `table`");
>>>>$result = mysql_query($qu ery);
>>>>
>>>>print "<p>Data for Selections:";
>>>>print "<table border=2><tr><t h>You chose:";
>>>>
>>>
>>>Try this instead (notice the quotes around array keys):
>>>
>>>while($row = mysql_fetch_arr ay($result)) {
>>>if(in_array( strval($row['ID']), $_POST['subm'])) {[/color]
>>
>>Alternatively , just get the rows you want from the database.
>>
>>$ids=implode( ",",$_POST['subm']);
>>$query = ("SELECT * FROM `table` WHERE `ID` IN ($ids)");
>>$result = mysql_query($qu ery);
>>while($row = mysql_fetch_arr ay($result)) {
>>//print rows
>>}[/color]
>
>
> Just a security remark:
>
> Is this approach safe for SQL-injection?
> Bad guys might send other stuff in the subm-array than numbers...
>
> I am always better safe than sorry, and loop over the results, parse them,
> and then feed them to the query.
>
> Something like this:
> $id = array();
> foreach($_POST["subm"] as $oneNum){
> $id[] = (int)$oneNum;
> }
> $ids = implode(",",$id );
> $query = "SELECT * FROM `table` WHERE `ID` IN ($ids)";
> etc..
>
> A little bit slower probably, but at least the $id[] and the corresponding
> $ids string contains only numbers.[/color]

Just a question on this way to further my own learning process. Does the
fact that the $_POST['subm'] array is dynamically done on the previous
page prevent one from using it for injection? It's not something that
requires a user to fill in any text info for. It's only a checkbox that
gets checked.

Incidentally, thanks to Scott and Geoff for their solutions. I used
Scott's as I saw it first, tried it and it works just fine. Much obliged
to both of you and to Erwin as well for the assistance.

Re: Populating form from database, then passing results to next page

Message-ID: <4KednVLqV7JkS6 jZnZ2dnUVZ_sydn Z2d@comcast.com > from JackM
contained the following:
[color=blue][color=green]
>> A little bit slower probably, but at least the $id[] and the corresponding
>> $ids string contains only numbers.[/color]
>
>Just a question on this way to further my own learning process. Does the
>fact that the $_POST['subm'] array is dynamically done on the previous
>page prevent one from using it for injection? It's not something that
>requires a user to fill in any text info for. It's only a checkbox that
>gets checked.[/color]

yes, Erwin is right, user supplied data should ALWAYS be checked before
being used in a query.

There is nothing stopping me downloading your form with checkboxes and
then editing the html to make them send different values. Erwins
solution checks the 'type' of data that is being returned. Other
methods may check that the data is within a range of values that is
acceptable. (for instance you may only want the user to be able to edit
a certain range of ids)

if your id was not an integer you could do this:

foreach($_POST["subm"] as $oneNum){
$id[] = mysql_real_esca pe_string($oneN um);
}

In fact, I can't immediately see why you should not do
$ids=mysql_real _escape_string( implode(",",$_P OST['subm']));

as in my original solution.

Anyone see a problem with that?

--
Geoff Berrow (put thecat out to email)
It's only Usenet, no one dies.
My opinions, not the committee's, mine.
Simple RFDs http://www.ckdog.co.uk/rfdmaker/