clay1 Posted January 14, 2010 Share Posted January 14, 2010 I've got a form with about 30 elements. A mix of text fields, drop downs, check boxes, radio buttons. How do I get my data from the $_post array to my database in a way that is safe and secure? This problem has been frustrating me for a week now, I've been unable to find answers that make any sense to me for something that seems like it should be a common process. I am using postgresql From what I have found it seems like I want to use 'prepared statements' to prevent sql injection, but other than the php manual for pg_prepare or pg_query_params I can't find anything about how to actually do this in the real world. Except for about 5 elements all the questions on the form are optional. I am fairly stupid about this topic so a great deal of hand holding would be appreciated because as I get more frustrated the more useless I am becoming at solving my problem. Quote Link to comment Share on other sites More sharing options...
Ninjakreborn Posted January 14, 2010 Share Posted January 14, 2010 I don't have a lot of experience with Postgrsql, but it's not very different from Mysql. You would gather the data in clean variables (Postgre probably has an internal function kind of like Mysql's Mysql_real_escape_string()). From there you would form a query and load it into the database. If your using a framework there may be some built in classes to handle that for you. Post some of the code your using here. Quote Link to comment Share on other sites More sharing options...
clay1 Posted January 14, 2010 Author Share Posted January 14, 2010 Businessman: It's the forming of the query I am having trouble with. I've read I can use pg_escape_string(the pg equivalent.) $_POST = array_map('pg_escape_string', $_POST); Then what would I do? I read 'use pg_prepare' to make the statement.. but I have no idea what I need to do for that for an insert. pg_insert kind of worked but I have problems when any of the checkboxes are selected and get 'pg_insert expects scaler values' Sorry if I am not making much sense. My brain is all over the place. As for posting some code.. I've pretty much scrapped everything I had which was really nothing more than just playing around with the post data and trying to validate it(my issues with that are documented in other similarly exasperated posts) Quote Link to comment Share on other sites More sharing options...
waynewex Posted January 14, 2010 Share Posted January 14, 2010 Postgresql allows prepared statements http://www.postgresql.org/docs/8.1/interactive/sql-prepare.html Other than that, you can whitelist items. If you have a checkbox, make sure that what the user has submitted is actually in those checkboxes. Numbers? Parse them as integers. Quote Link to comment Share on other sites More sharing options...
MatthewJ Posted January 14, 2010 Share Posted January 14, 2010 You will find an example of an insert to postgresql http://onlamp.com/pub/a/onlamp/2002/01/24/postgresql.html As far as the query failing if the field is not selected. How about you use a simple isset() on that form field, and if it is not, then insert a default value or leave it out of the query all together? Quote Link to comment Share on other sites More sharing options...
J-C Posted January 14, 2010 Share Posted January 14, 2010 wait what? are you just trying to get like what ever was typed in the form? then you just need to give a name to all the inputs in the form. for example <input type="text" name="name1"> then to get the $_POST you would just use $_POST['name1'] of course the form would have to be method=post is this not what you want? Quote Link to comment Share on other sites More sharing options...
clay1 Posted January 14, 2010 Author Share Posted January 14, 2010 [quote author=MatthewJ As far as the query failing if the field is not selected. How about you use a simple isset() on that form field, and if it is not, then insert a default value or leave it out of the query all together? The problem isn't when something is missing it's when it's included. if ($_POST) { array_pop($_POST); //removes $_POST['submit'] from array $_POST = array_map('pg_escape_string', $_POST); include('./includes/config.php'); $res = pg_insert($conn, 'leads', $_POST); if ($res) { echo "POST data is successfully logged\n"; } else { echo "User must have sent wrong inputs\n"; } } I seem to have fixed the 'scaler values' error as the inserts are working with the checkboxes I need to serialize the data though as I am getting 'array' in my database? So I guess the question now if how do I serialize the array contained inside the $_post array? Something like? foreach (array_keys($_POST) as $key) { $$value = $_POST[$key]; if (is_array($$value)){ $$value = serialize($_POST['$$value']); } } Quote Link to comment Share on other sites More sharing options...
clay1 Posted January 15, 2010 Author Share Posted January 15, 2010 I guess the alternative question is what do I do with the checkboxes to get them into my database in a usable format? Quote Link to comment Share on other sites More sharing options...
clay1 Posted January 15, 2010 Author Share Posted January 15, 2010 Well, I decided to quite tearing my hair out and just changed all the check boxes to a couple of text fields. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.