|
|
Posted by a_f_kono on 02/01/08 09:25
On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
> Got a weird problem and wondered if the people here had ever seen
> similar.
>
> I have an internal website that is PHP based. One of the form submit
> has tons of fields, so to simplify the updating/inserting of records
> (and long term management of the page) I go through the request (HTTP
> POST/GET) variables and create an sql statement based on the data.
> This means if I add a new database field I can just add the form field
> on the page and I do not have to alter the database code.
>
> However now and again a random form field will turn up that is not on
> the original page. The latest is "sageamp". I have had "s_vnum" and
> "SITESERVER". They look to be related to cookies - eg sageamp seems
> to be related to web analysis. These form fields are unrelated to the
> actual PHP code that generates the HTML form - the form fields just
> appear on the page.
>
> If the problem occurs I clear the cache (including cookies) and the
> problem goes away for a while. This only occurs in Firefox, however
> if I replicated the browsing that firefox has been up to in IE it may
> also happen.
>
> The code for doing the DB update, if you are interested (nothing to
> do with the problem I am sure) is:
>
> (note - you can see where I have put exceptions in for the phantom
> form fields to allow the code to work - I have since found out that
> clearing the cache stops the fields from appearing).
>
> while(list($key,$val) = each ($_REQUEST))
> {
>
> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> {
> $sql .= " `$key` = '".addslashes($val)."', ";
> }
>
> }
>
> Any help appreciated!
Don't use $_REQUEST, use $_POST (or $_GET).
An even more secure approach is to use array notation in this form:
<input type="text" name="form[name]" />
Then You will get an easy to read $_POST-Array with:
$_POST['form']
and Your iteration will be much easier:
while(list($key,$val) = each ($_POST['form'])) ...
without any exceptions
Code like
$key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
always indicates a wrong approach!
Greetings
Andy
Navigation:
[Reply to this message]
|