Still Learning

[cbrooks]

Ok, I have a bunch of pages that are working as desired. Reading/displaying info from database. Have a new form where user enters data and then on 'Submit' it digest the data and either inserts a new record or updates an older record.

 

So what is the easiest (and best) method to comfirm that the user 'Does Really' want to update data that is already on file.

 

My initail thought was to use a JavaScript 'confirm(message)' popup, if this is the way to go, how do you pass the return value from the 'confirm(message)' back to your PHP page?

[mikesta707]

http://www.tizag.com/javascriptT/javascriptconfirm.php

 

The confirm box already returns true of false, you could could just do something like

 

<input type="submit" onSubmit="confirm('update stuff?')" />

[cbrooks]

OK, this is what I came up with:

 

First the javascript function:

<code>

function testit(Param, id1, id2, id3){

var message ="Are you sure that you want to change the current data?\n" +

            "Click OK to proceed or Cancel to abort?";

            answer = confirm(message);

window.location.href = "tshowconfirm.php?which=" + answer + "&picked=" + Param + "&id1=" + id1 + "&id2=" + id2 + "&id3=" + id3;

}

</code>

 

 

Next the data input:

<code>

<?php

      echo "<td><select name=\"maybe\" id=\"maybe\" onchange=\"testit(this.value, '{$user}', '{$company}', '{$ship_to_nbr}');\">";

?>

</code>

 

and the output from tshowconfirm.php:

<code>

<?php

  $update_t_f=$_GET['which'];

  $selection=$_GET['picked'];

  $user = $_GET['id1'];

  $company = $_GET['id2'];

  $shiptonbr = $_GET['id3'];

  echo "Update Table : ".$update_t_f."<br />";

  echo "Selection is: ".$selection."<br />";

  echo "User is : ".$user."<br />";

  echo "Company is : ".$company."<br />";

  echo "Shipping is : ".$shiptonbr."<br />";

  ?>

 

It does work, allows me to input my data, calls the javascript code, then relays 'answer' with data to either update or save to the next php script for final action

 

May not be the prettiest or cleanest code, but for a test it works for me.

[mikesta707]

That is very vulnerable to a whole slew of security risks, but I'm glad it works. However, you could just do

answer = confirm(message);
if (answer){
window.location.href = "tshowconfirm.php?which=" + answer + "&picked=" + Param + "&id1=" + id1 + "&id2=" + id2 + "&id3=" + id3;
}

instead so that the user can stay on the page if he chooses to abort, instead of being taken to that page.

 

[cbrooks]

I understand on the if (answer) {

 

OK, since I'm 'Still Learning' do you mind taking a few minutes and pointing out some of the security risks?

 

The code that I showed was just something simple to allow me to test/learn passing variables back and forth between JavaScript and PHP, not the actual code that I am using in my actual pages.

[mikesta707]

well, you didn't sanitize your variables at all, so your vulnerable to sql injection there. Just use mysql_real_escape_strings() on any post or get variables and you should be ok