|
|
Posted by ST on 02/02/08 01:28
On Feb 1, 3:55 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> ST wrote:
> > On Feb 1, 12:42 pm, Jerry Stuckle <jstuck...@attglobal.net> wrote:
> >> C. (http://symcbean.blogspot.com/) wrote:
> >>> On 1 Feb, 09:25, a_f_kono <f...@kono.de> wrote:
> >>>> On Feb 1, 8:42 am, ST <simon.top...@googlemail.com> wrote:
> >>>>> Got a weird problem and wondered if the people here had ever seen
> >>>>> similar.
> >>>>> I have an internal website that is PHP based. One of the form submit
> >>>>> has tons of fields, so to simplify the updating/inserting of records
> >>>>> (and long term management of the page) I go through the request (HTTP
> >>>>> POST/GET) variables and create an sql statement based on the data.
> >>>>> This means if I add a new database field I can just add the form field
> >>>>> on the page and I do not have to alter the database code.
> >>>>> However now and again a random form field will turn up that is not on
> >>>>> the original page. The latest is "sageamp". I have had "s_vnum" and
> >>>>> "SITESERVER". They look to be related to cookies - eg sageamp seems
> >>>>> to be related to web analysis. These form fields are unrelated to the
> >>>>> actual PHP code that generates the HTML form - the form fields just
> >>>>> appear on the page.
> >>>>> If the problem occurs I clear the cache (including cookies) and the
> >>>>> problem goes away for a while. This only occurs in Firefox, however
> >>>>> if I replicated the browsing that firefox has been up to in IE it may
> >>>>> also happen.
> >>>>> The code for doing the DB update, if you are interested (nothing to
> >>>>> do with the problem I am sure) is:
> >>>>> (note - you can see where I have put exceptions in for the phantom
> >>>>> form fields to allow the code to work - I have since found out that
> >>>>> clearing the cache stops the fields from appearing).
> >>>>> while(list($key,$val) = each ($_REQUEST))
> >>>>> {
> >>>>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> >>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> >>>>> {
> >>>>> $sql .= " `$key` = '".addslashes($val)."', ";
> >>>>> }
> >>>>> }
> >>>>> Any help appreciated!
> >>>> Don't use $_REQUEST, use $_POST (or $_GET).
> >>>> An even more secure approach is to use array notation in this form:
> >>>> <input type="text" name="form[name]" />
> >>>> Then You will get an easy to read $_POST-Array with:
> >>>> $_POST['form']
> >>>> and Your iteration will be much easier:
> >>>> while(list($key,$val) = each ($_POST['form'])) ...
> >>>> without any exceptions
> >>>> Code like
> >>>> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> >>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
> >>>> always indicates a wrong approach!
> >>>> Greetings
> >>>> Andy
> >>> You could do an array_merge on $_POST and $_GET or an array_diff withe
> >>> $_REQUEST and $_COOKIE, and $_ENV.
> >> Why, for gawd's sake?
>
> >>> Or you could do a DESC $tablename and just add the $_REQUEST keys
> >>> which match.
> >>> C.
> >> Even worse!
>
> > I can live with the problem I think but I'd like to know where the
> > form fields are coming from! The code is not the best - I accept that
> > however it is internal use only (only used by max 3 people) and only
> > falls over once a month or so. The <> && exclusions are my work
> > however so Ill put my hand up!
>
> Then use $_POST, not $_REQUEST. $_REQUEST could be coming from $_POST,
> $_GET or $_COOKIE. And if it's the last one, it could have been set by
> any page on your server.
>
> $_REQUEST is not a good one to use.
Ohh that is interesting - did not know about $_COOKIE being included
in $_REQUEST. I'll make sure I use $_POST in future as it is very
unlikely I will use GET variables for this purpose.
Thanks for your input.
Navigation:
[Reply to this message]
|