|
|
Posted by Jerry Stuckle on 02/01/08 12:42
C. (http://symcbean.blogspot.com/) wrote:
> On 1 Feb, 09:25, a_f_kono <f...@kono.de> wrote:
>> On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
>>
>>
>>
>>> Got a weird problem and wondered if the people here had ever seen
>>> similar.
>>> I have an internal website that is PHP based. One of the form submit
>>> has tons of fields, so to simplify the updating/inserting of records
>>> (and long term management of the page) I go through the request (HTTP
>>> POST/GET) variables and create an sql statement based on the data.
>>> This means if I add a new database field I can just add the form field
>>> on the page and I do not have to alter the database code.
>>> However now and again a random form field will turn up that is not on
>>> the original page. The latest is "sageamp". I have had "s_vnum" and
>>> "SITESERVER". They look to be related to cookies - eg sageamp seems
>>> to be related to web analysis. These form fields are unrelated to the
>>> actual PHP code that generates the HTML form - the form fields just
>>> appear on the page.
>>> If the problem occurs I clear the cache (including cookies) and the
>>> problem goes away for a while. This only occurs in Firefox, however
>>> if I replicated the browsing that firefox has been up to in IE it may
>>> also happen.
>>> The code for doing the DB update, if you are interested (nothing to
>>> do with the problem I am sure) is:
>>> (note - you can see where I have put exceptions in for the phantom
>>> form fields to allow the code to work - I have since found out that
>>> clearing the cache stops the fields from appearing).
>>> while(list($key,$val) = each ($_REQUEST))
>>> {
>>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
>>> {
>>> $sql .= " `$key` = '".addslashes($val)."', ";
>>> }
>>> }
>>> Any help appreciated!
>> Don't use $_REQUEST, use $_POST (or $_GET).
>> An even more secure approach is to use array notation in this form:
>> <input type="text" name="form[name]" />
>> Then You will get an easy to read $_POST-Array with:
>> $_POST['form']
>> and Your iteration will be much easier:
>> while(list($key,$val) = each ($_POST['form'])) ...
>> without any exceptions
>>
>> Code like
>> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>
>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>> always indicates a wrong approach!
>>
>> Greetings
>> Andy
>
> You could do an array_merge on $_POST and $_GET or an array_diff withe
> $_REQUEST and $_COOKIE, and $_ENV.
>
Why, for gawd's sake?
> Or you could do a DESC $tablename and just add the $_REQUEST keys
> which match.
>
> C.
>
Even worse!
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|