|
|
Posted by ST on 02/01/08 15:41
On Feb 1, 12:42 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> C. (http://symcbean.blogspot.com/) wrote:
> > On 1 Feb, 09:25, a_f_kono <f...@kono.de> wrote:
> >> On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
>
> >>> Got a weird problem and wondered if the people here had ever seen
> >>> similar.
> >>> I have an internal website that is PHP based. One of the form submit
> >>> has tons of fields, so to simplify the updating/inserting of records
> >>> (and long term management of the page) I go through the request (HTTP
> >>> POST/GET) variables and create an sql statement based on the data.
> >>> This means if I add a new database field I can just add the form field
> >>> on the page and I do not have to alter the database code.
> >>> However now and again a random form field will turn up that is not on
> >>> the original page. The latest is "sageamp". I have had "s_vnum" and
> >>> "SITESERVER". They look to be related to cookies - eg sageamp seems
> >>> to be related to web analysis. These form fields are unrelated to the
> >>> actual PHP code that generates the HTML form - the form fields just
> >>> appear on the page.
> >>> If the problem occurs I clear the cache (including cookies) and the
> >>> problem goes away for a while. This only occurs in Firefox, however
> >>> if I replicated the browsing that firefox has been up to in IE it may
> >>> also happen.
> >>> The code for doing the DB update, if you are interested (nothing to
> >>> do with the problem I am sure) is:
> >>> (note - you can see where I have put exceptions in for the phantom
> >>> form fields to allow the code to work - I have since found out that
> >>> clearing the cache stops the fields from appearing).
> >>> while(list($key,$val) = each ($_REQUEST))
> >>> {
> >>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> >>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> >>> {
> >>> $sql .= " `$key` = '".addslashes($val)."', ";
> >>> }
> >>> }
> >>> Any help appreciated!
> >> Don't use $_REQUEST, use $_POST (or $_GET).
> >> An even more secure approach is to use array notation in this form:
> >> <input type="text" name="form[name]" />
> >> Then You will get an easy to read $_POST-Array with:
> >> $_POST['form']
> >> and Your iteration will be much easier:
> >> while(list($key,$val) = each ($_POST['form'])) ...
> >> without any exceptions
>
> >> Code like
> >> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>
> >>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
> >> always indicates a wrong approach!
>
> >> Greetings
> >> Andy
>
> > You could do an array_merge on $_POST and $_GET or an array_diff withe
> > $_REQUEST and $_COOKIE, and $_ENV.
>
> Why, for gawd's sake?
>
> > Or you could do a DESC $tablename and just add the $_REQUEST keys
> > which match.
>
> > C.
>
> Even worse!
>
I can live with the problem I think but I'd like to know where the
form fields are coming from! The code is not the best - I accept that
however it is internal use only (only used by max 3 people) and only
falls over once a month or so. The <> && exclusions are my work
however so Ill put my hand up!
Navigation:
[Reply to this message]
|