|
|
Posted by Jerry Stuckle on 02/01/08 15:55
ST wrote:
> On Feb 1, 12:42 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>>> On 1 Feb, 09:25, a_f_kono <f...@kono.de> wrote:
>>>> On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
>>>>> Got a weird problem and wondered if the people here had ever seen
>>>>> similar.
>>>>> I have an internal website that is PHP based. One of the form submit
>>>>> has tons of fields, so to simplify the updating/inserting of records
>>>>> (and long term management of the page) I go through the request (HTTP
>>>>> POST/GET) variables and create an sql statement based on the data.
>>>>> This means if I add a new database field I can just add the form field
>>>>> on the page and I do not have to alter the database code.
>>>>> However now and again a random form field will turn up that is not on
>>>>> the original page. The latest is "sageamp". I have had "s_vnum" and
>>>>> "SITESERVER". They look to be related to cookies - eg sageamp seems
>>>>> to be related to web analysis. These form fields are unrelated to the
>>>>> actual PHP code that generates the HTML form - the form fields just
>>>>> appear on the page.
>>>>> If the problem occurs I clear the cache (including cookies) and the
>>>>> problem goes away for a while. This only occurs in Firefox, however
>>>>> if I replicated the browsing that firefox has been up to in IE it may
>>>>> also happen.
>>>>> The code for doing the DB update, if you are interested (nothing to
>>>>> do with the problem I am sure) is:
>>>>> (note - you can see where I have put exceptions in for the phantom
>>>>> form fields to allow the code to work - I have since found out that
>>>>> clearing the cache stops the fields from appearing).
>>>>> while(list($key,$val) = each ($_REQUEST))
>>>>> {
>>>>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
>>>>> {
>>>>> $sql .= " `$key` = '".addslashes($val)."', ";
>>>>> }
>>>>> }
>>>>> Any help appreciated!
>>>> Don't use $_REQUEST, use $_POST (or $_GET).
>>>> An even more secure approach is to use array notation in this form:
>>>> <input type="text" name="form[name]" />
>>>> Then You will get an easy to read $_POST-Array with:
>>>> $_POST['form']
>>>> and Your iteration will be much easier:
>>>> while(list($key,$val) = each ($_POST['form'])) ...
>>>> without any exceptions
>>>> Code like
>>>> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>>>> always indicates a wrong approach!
>>>> Greetings
>>>> Andy
>>> You could do an array_merge on $_POST and $_GET or an array_diff withe
>>> $_REQUEST and $_COOKIE, and $_ENV.
>> Why, for gawd's sake?
>>
>>> Or you could do a DESC $tablename and just add the $_REQUEST keys
>>> which match.
>>> C.
>> Even worse!
>>
>
> I can live with the problem I think but I'd like to know where the
> form fields are coming from! The code is not the best - I accept that
> however it is internal use only (only used by max 3 people) and only
> falls over once a month or so. The <> && exclusions are my work
> however so Ill put my hand up!
>
Then use $_POST, not $_REQUEST. $_REQUEST could be coming from $_POST,
$_GET or $_COOKIE. And if it's the last one, it could have been set by
any page on your server.
$_REQUEST is not a good one to use.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|