Jump to content

Explode on buttons, is it safe?


NoobLaPHP
Go to solution Solved by Psycho,

Recommended Posts

$liked = explode(":", $_POST[submit]);

if($liked[0] == "like"){

//Select from database where id is $liked[1]

}

<input type="image" src="images/arrowup.gif" name="submit" value="like:<? echo $right->id; ?>"/>

 

Ok, so i have made a forum and i have a like function running on the comments of a post. I needed to find a way when the image was clicked it updated the database. So i experimented and came up with the solution above having it explode the value of the button to read if it was press and get the id. It works perfectly but i just want to be convinced it is safe.

Link to comment
Share on other sites

I don't understand. Why is there a ':' in the submitted value? I am assuming that the image is sending the data via an AJAX request rather than the image being a submit button. So, why not have the data sent as a single name/value pair with the name being something more obvious such as 'like'?

 

 

if(isset($_POST['like']))
{
    $likedID = intval($_POST['like']);
}
Link to comment
Share on other sites

it is a trivial thing to change the value of an input field, regardless of what type it is. You need to make sure that $liked[1] contains an expected value, same as any other value coming from a request.

It requires both items to be filled. If either is empty it shows nothing

 

if($liked[0] == "like"){

if(!$liked[1]){

//Do nothing

}else{

 

//Select from database where id is $liked[1]

}

}

Link to comment
Share on other sites

 

I don't understand. Why is there a ':' in the submitted value? I am assuming that the image is sending the data via an AJAX request rather than the image being a submit button. So, why not have the data sent as a single name/value pair with the name being something more obvious such as 'like'?

if(isset($_POST['like']))
{
    $likedID = intval($_POST['like']);
}

I don't fully understand ajax, i'm still learning all this. I have done it using php. The value gets the like part and also the id for the post to like so it will be like like:387

 

if the php reads the like, it then reads the id where it updates the database

 

 

 

$replyid = mysql_real_escape_string(addslashes(strip_tags($liked[1])));

 

mysql_query("UPDATE replies SET likes='...' WHERE id='$replyid'");

 

etc, any help is good. It helps learn

Edited by NoobLaPHP
Link to comment
Share on other sites

  • Solution

OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array:

 

 

<input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/>

 

 

if(isset($_POST['like']))
{
    //User submitted one or more likes
    foreach($_POST['like'] as $likeID)
    {
        //Perform whatever operations you want based upon the ids passes
        $likeID = intval($likeID);
    }
}

 

Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed.

Link to comment
Share on other sites

OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array:

<input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/>
if(isset($_POST['like']))
{
    //User submitted one or more likes
    foreach($_POST['like'] as $likeID)
    {
        //Perform whatever operations you want based upon the ids passes
        $likeID = intval($likeID);
    }
}

Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed.

It's sending the id through as 32. 71. 10 Not sure what i've done or haven't done. All i did was fill in the blanks

Link to comment
Share on other sites

OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array:

<input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/>
if(isset($_POST['like']))
{
    //User submitted one or more likes
    foreach($_POST['like'] as $likeID)
    {
        //Perform whatever operations you want based upon the ids passes
        $likeID = intval($likeID);
    }
}

Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed.

You sir, are awesome! after a few tweaks, i managed to fix it and get it working as it should. Thank you.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.