Re: PHP form Creates Blank DB entries

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, Jun 30, 2003 at 01:23:17PM -0400, Frank Bax wrote:
[..snipped..]
> $name = $_POST[name];
> $address = $_POST[address];
> $tel = $_POST[tel];
> $email = $_POST[email];
[..snipped..]

this will work OK, but is considered a bad idea, and php will throw a
warning (as it should) that you are accessing a key in an associative array
without properly quoting things.

if you want to do it "properly", try this instead:

$name = $_POST["name"];
$address = $_POST["address"];
$tel = $_POST["tel"];
$email = $_POST["email"];

the above will execute without warnings or errors.

also, I would suggest running each of the variables through a function that
strips out html tags (since you don't really care about allowing them in
this case, right?).. you can do that with strip_tags.. see
http://php.net/strip_tags

there are some other things you should do with user input too, to protect
your code and database from vulnerabilities. in eros, I implemented
something called preparestring(), which, in addition to strip_tags, makes a
call to htmlentities() and a couple other things, just to be *really*
*extra* safe about things, and avoid bugs or problems down the road when
someone does something rude with your form :)

to simplify things, you might want to look into a good templating package..
I prefer smarty: http://smarty.php.net/ but there are other solutions that
do similar things. this allows you to simpllify the php code quite a bit,
and it is quite a bit easier to teach someone that knows HTML how to deal
with a 'template system' vs explaining how to use 'print' or 'echo'
statements to modify things. :)

also, I found it handy to put all the functions that deal with a particular
table into one php module, and then make calls into it via a GET request.

for example:

member.php might contain:

-- begin member.php --
class member
{
  function edit()
  {
    // I've snipped out the variable assignments from above.. you need to
    // make sure you assign something to $name and $address before trying to
    // use the template.

    $s = new Smarty;
    $s->assign("submitmode", "update");
    $s->assign("name", $name);
    $s->assign("address", $address);
    $s->display("member.tmpl");
  }

  function main()
  {
     $mode = $_REQUEST["mode"];
     // $mode = preparestring($mode);
     switch ($mode)
     {
        case "edit":
          $this->edit();
          break;
        default:
          print "unknown mode {$mode}";
          break;
     }
  }
}

$m = new member;
$m->main();
-- end member.php --

then, you make a 'member.tmpl' in the templates directory (see instructions
for smarty) that looks something like this:

-- begin member.tmpl --
<form method="POST" action="member.php">
<input type="hidden" name="mode" value="{$submitmode}">
<input type="text" name="name" value="{$name}">
</form>
-- end member.tmpl --

of course I have left out the submit button and some other fields for
simplicity, but you get the idea. 

note the use of the 'hidden' field called 'mode', which will be processed by
the main() method in the member class instance.

what will happen in my example is that when the user clicks 'submit',
$mode will be equal to 'update', which you can detect by using a 'case'
statement. that means you can have as many 'mode's as you want, and you will
find that you use certain ones over and over and over again, so you can just
cut and paste and then adjust to the specific needs of the table in
question.

for example, I usually have 'add', 'insert', 'edit' and 'update' modes and
they all use the same template, just different values for 'submitmode'..  in
the specific case of 'add', you don't fill in values for anything except
submitmode, and leave the rest blank.

from the template, you can access any variable that has been 'assigned' to
the template object instance with assign(), and you quote things with curly
braces just like php suggests you do, which makes it really clear what is
going on without a lot of confusion. once you understand the technique, it
is simplicity itself.

when you want to have a link to 'add member' (aka "new user"), you do
something like:

http://localhost/member.php?mode=add

if you want to present the edit form, use:

http://localhost/member.php?mode=edit

note that 'update' and 'insert' are not normally given to the user as
choices, because they are used internally.. however, if you *want* to
automate a form submission (via a cronjob or whatever) you can do so quite
easily.. you just need to write something that will POST a form and as long
as you fill everything in (and especially mode), you can do it without fuss,
in any language you choose.

regards,
J
-- 
|| Jeff - http://zoidtechnologies.com/
|| GNUPG Fingerprint: A607 0F19 7C75 1305 67E4  BDFF 26BD 606E 3517 2A42


[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux