|
|
Posted by C. (http://symcbean.blogspot.com/) on 02/01/08 12:41
On 1 Feb, 09:25, a_f_kono <f...@kono.de> wrote:
> On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
>
>
>
> > Got a weird problem and wondered if the people here had ever seen
> > similar.
>
> > I have an internal website that is PHP based. One of the form submit
> > has tons of fields, so to simplify the updating/inserting of records
> > (and long term management of the page) I go through the request (HTTP
> > POST/GET) variables and create an sql statement based on the data.
> > This means if I add a new database field I can just add the form field
> > on the page and I do not have to alter the database code.
>
> > However now and again a random form field will turn up that is not on
> > the original page. The latest is "sageamp". I have had "s_vnum" and
> > "SITESERVER". They look to be related to cookies - eg sageamp seems
> > to be related to web analysis. These form fields are unrelated to the
> > actual PHP code that generates the HTML form - the form fields just
> > appear on the page.
>
> > If the problem occurs I clear the cache (including cookies) and the
> > problem goes away for a while. This only occurs in Firefox, however
> > if I replicated the browsing that firefox has been up to in IE it may
> > also happen.
>
> > The code for doing the DB update, if you are interested (nothing to
> > do with the problem I am sure) is:
>
> > (note - you can see where I have put exceptions in for the phantom
> > form fields to allow the code to work - I have since found out that
> > clearing the cache stops the fields from appearing).
>
> > while(list($key,$val) = each ($_REQUEST))
> > {
>
> > if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> > "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> > {
> > $sql .= " `$key` = '".addslashes($val)."', ";
> > }
>
> > }
>
> > Any help appreciated!
>
> Don't use $_REQUEST, use $_POST (or $_GET).
> An even more secure approach is to use array notation in this form:
> <input type="text" name="form[name]" />
> Then You will get an easy to read $_POST-Array with:
> $_POST['form']
> and Your iteration will be much easier:
> while(list($key,$val) = each ($_POST['form'])) ...
> without any exceptions
>
> Code like
> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>
> > "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>
> always indicates a wrong approach!
>
> Greetings
> Andy
You could do an array_merge on $_POST and $_GET or an array_diff withe
$_REQUEST and $_COOKIE, and $_ENV.
Or you could do a DESC $tablename and just add the $_REQUEST keys
which match.
C.
Navigation:
[Reply to this message]
|