Jump to content


Photo

Overriding $_POST variables?


  • Please log in to reply
13 replies to this topic

#1 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 28 September 2006 - 11:25 PM

Hello, I am trying to overide some of my varibles posted via POST.

//Strip commas out of compensation major
$_POST['compensation_major'] = str_replace(",", "", $_POST['compensation_major']);
			
//Convert date from DD/MM/YYYY to YYYY-MM-DD
$_POST['hire_date'] = convert_date_2_mysql_date($_POST['hire_date']);
			
//Strip spaces out of password
$_POST['password'] = str_replace(" ", '', $_POST['password']);
			
//Encrypt password
$_POST['password'] = encrypt($_POST['password'], $GBL_encrypt_key);

I swore I have done this before, but currently it inst working. I have to actually assign a new variables on the left hand of each assignment for it work. Any ideas why? I would prefer to not make all new variables for each operations, for example, this is bad:


//Strip commas out of compensation major
$comp_major = str_replace(",", "", $_POST['compensation_major']);
			
//Convert date from DD/MM/YYYY to YYYY-MM-DD
$hired = convert_date_2_mysql_date($_POST['hire_date']);
			
//Strip spaces out of password
$pass = str_replace(" ", '', $_POST['password']);
			
//Encrypt password
$newPass = encrypt($pass, $GBL_encrypt_key);

Not only makes code harder and more confusing, but more variable use. Thanks for the help.

#2 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 28 September 2006 - 11:29 PM

I found my problem, in my mysql querry I am calling:

INSERT into employees
					(
						title, first_name, last_name, mailing_address, city, state, zip_code, country, email_address, contact_phone,
						hire_date, job_title_occupation, employment_term, compensation_basis, compensation_major, compensation_minor,
						compensation_quant, workers_comp_classification, enrolled_in_benefits, paid_holidays, hours_per_holiday, paid_vacation,
						vacation_hours_per_year, paid_personal, personal_hours_per_year, direct_deposit, number_tax_allowances, username,
						password, date_created, date_last_modified, user_who_created, user_who_last_modified, last_succ_login
					)
					VALUES
					(
						'$title', '$first_name', '$last_name', '$mailing_address', '$city', '$state', '$zip_code', '$country', '$email_address', '$contact_phone',
						'$hire_date', '$job_title_occupation', '$employment_term', '$compensation_basis', '$compensation_major', '$compensation_minor',
						'$compensation_quant', '$workers_comp_classification', '$enrolled_in_benefits', '$paid_holidays', '$hours_per_holiday', '$paid_vacation',
						'$vacation_hours_per_year', '$paid_personal', '$personal_hours_per_year', '$direct_deposit', '$number_tax_allowances', '$username',
						'$password', '" . get_current_date() . "', '" . get_current_date() . "', '" . get_current_username() . "', '" . get_current_username() . "', 'NULL'
					)";

See I am not using the $_POST array, I am relying on REGISTER GLOBALS which is bad, but gosh it saves so much time. Any easier way to rewrite the query instead of going and putting $_POST[' before each variable and closing it with ']? Any tricks out to there for lazy people such as myself?

#3 HuggieBear

HuggieBear
  • Members
  • PipPipPip
  • Advanced Member
  • 1,899 posts
  • LocationEngland, UK

Posted 28 September 2006 - 11:39 PM

Sounds as though extract is what you need:

<?php
   extract($_POST);
?>

This imports the key names into the namespace.  So if your form has fields, user, pass and submit, then by using the above you can refer to them as $user, $pass, $submit.

There's various options with extract, including what to do if a name already exists, I'd suggest you check out the php manual on extract

Regards
Huggie
Advice to MySQL users: Get phpMyAdmin and test your queries work there first, take half the hassle out of diagnosis, also check the reserved words list.

Links: PHP Docs :: RegEx's :: MySQL :: DevGuru :: w3schools

#4 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 28 September 2006 - 11:43 PM

Via the manual: Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily.

Don't want to rely on register_globals thats the entire point of referencing variables by $_POST[''].

Seems like I just gotta do the same code as above except put $_POST[''], unless you have any other ideas.

#5 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 29 September 2006 - 12:02 AM

Ok, I had to change my query to the following:

INSERT into employees
					(
						title, first_name, last_name, mailing_address, city, state, zip_code, country, email_address, contact_phone,
						hire_date, job_title_occupation, employment_term, compensation_basis, compensation_major, compensation_minor,
						compensation_quant, workers_comp_classification, enrolled_in_benefits, paid_holidays, hours_per_holiday, paid_vacation,
						vacation_hours_per_year, paid_personal, personal_hours_per_year, direct_deposit, number_tax_allowances, username,
						password, date_created, date_last_modified, user_who_created, user_who_last_modified, last_succ_login
					)
					VALUES
					(
						'$_POST[title]', '$_POST[first_name]', '$_POST[last_name]', '$_POST[mailing_address]', '$_POST[city]', '$_POST[state]', '$_POST[zip_code]', '$_POST[country]', '$_POST[email_address]', '$_POST[contact_phone]',
						'$_POST[hire_date]', '$_POST[job_title_occupation]', '$_POST[employment_term]', '$_POST[compensation_basis]', '$_POST[compensation_major]', '$_POST[compensation_minor]',
						'$_POST[compensation_quant]', '$_POST[workers_comp_classification]', '$_POST[enrolled_in_benefits]', '$_POST[paid_holidays]', '$_POST[hours_per_holiday]', '$_POST[paid_vacation]',
						'$_POST[vacation_hours_per_year]', '$_POST[paid_personal]', '$_POST[personal_hours_per_year]', '$_POST[direct_deposit]', '$_POST[number_tax_allowances]', '$_POST[username]',
						'$_POST[password]', '" . get_current_date() . "', '" . get_current_date() . "', '" . get_current_username() . "', '" . get_current_username() . "', 'NULL'
					)";

There had to be an eaiser way? Am I the only person so lazy to complain about this? :) LOL.

Pain in the but, and also lose the standard of quoting keys in the $_POST array. Such as '$_POST['my_value']' must be changed to '$_POST[my_value]' or else the php won't parse.

#6 kenrbnsn

kenrbnsn
  • Staff Alumni
  • Advanced Member
  • 8,235 posts
  • LocationHillsborough, NJ, USA

Posted 29 September 2006 - 12:36 AM

It looks like the field names in your form are the same as the fieldnames in your database, therefore you can use the alternative insert syntax and do something like the following:
<?php
$qtmp = array();
$date_fields = array('date_created','date_last_modified');
$user_fields = array('user_who_created', 'user_who_last_modified');
foreach($_POST as $key => $value) {
    if ($key != 'submit') // or whatever your submit button is named
        if (strlen(trim(stripslashes($value))) != 0) // ignore blank fields
            $qtmp[] = $key . " = '" . mysql_real_escape_string(trim(stripslashes($value))) . "'";
}
foreach($date_fields as $k)
    $qtmp[] = $k . " = '" . date('Y-m-d') . "'"; // I'm guessing at the format for your date fields
foreach($user_fields as $k)
    $qtmp[] = $k . " = '" . get_current_username() . "'";
$query = "insert into employees set " . implode(', ',$qtmp);
echo $query; // just to see what you have created...
?>

When it comes to iterating through arrays, the foreach statement is a big help.

Ken

#7 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 29 September 2006 - 06:25 AM

kenrbnsn,

Thanks for the idea but that code is ugly and hard for me to follow, personally. I guess all my typing inst that bad. Any way I can still keep the quotes of the $_POST array variables though?

Currently I do like '$_POST[var_name]' I want to be able to do '$_POST['var_name']' any way that is possible? It wont compile if if '$_POST['var_name']' though currently.

#8 448191

448191
  • Staff Alumni
  • Advanced Member
  • 3,545 posts
  • LocationNetherlands

Posted 29 September 2006 - 06:38 AM

kenrbnsn,

Thanks for the idea but that code is ugly and hard for me to follow, personally. I guess all my typing inst that bad.


??? Trust me, learn how to use loops.

Any way I can still keep the quotes of the $_POST array variables though?

Currently I do like '$_POST[var_name]' I want to be able to do '$_POST['var_name']' any way that is possible? It wont compile if if '$_POST['var_name']' though currently.


manual

#9 HuggieBear

HuggieBear
  • Members
  • PipPipPip
  • Advanced Member
  • 1,899 posts
  • LocationEngland, UK

Posted 29 September 2006 - 08:37 AM

Currently I do like '$_POST[var_name]' I want to be able to do '$_POST['var_name']' any way that is possible?


You can do that by using double quotes " " and putting the variable inside curley braces, known as complex syntax.

<?php
// Unquoted
echo $_POST['name'];

// Double quoted
echo "{$_POST['name']}";

// Using heredoc (info about this is also on the link provided above)
echo <<<HTML
{$_POST['name']}
HTML;
?>

Regards
Huggie
Advice to MySQL users: Get phpMyAdmin and test your queries work there first, take half the hassle out of diagnosis, also check the reserved words list.

Links: PHP Docs :: RegEx's :: MySQL :: DevGuru :: w3schools

#10 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 29 September 2006 - 06:24 PM

Trying to do complex, here is what I have:

$sql = "INSERT into employees
					(
						title, first_name, last_name, mailing_address, city, state, zip_code, country, email_address, contact_phone,
						hire_date, job_title_occupation, employment_term, compensation_basis, compensation_major, compensation_minor,
						compensation_quant, workers_comp_classification, enrolled_in_benefits, paid_holidays, hours_per_holiday, paid_vacation,
						vacation_hours_per_year, paid_personal, personal_hours_per_year, direct_deposit, number_tax_allowances, username,
						password, date_created, date_last_modified, user_who_created, user_who_last_modified, last_succ_login
					)
					VALUES
					(
						'{$_POST['title']}', '{$_POST['first_name']}', '{$_POST['last_name']}', '{$_POST['mailing_address']}', '{$_POST['city']}', '{$_POST['state']}', '{$_POST['zip_code']}', '{$_POST['country']}', '{$_POST['email_address']}', '{$_POST['contact_phone']}',
						'{$_POST['hire_date']}', '{$_POST['job_title_occupation']}', '{$_POST['employment_term']}', '{$_POST['compensation_basis']}', '{$_POST['compensation_major']}', '{$_POST['compensation_minor']}',
						'{$_POST['compensation_quant']}', '{$_POST['workers_comp_classification']}', '{$_POST['enrolled_in_benefits']}', '{$_POST['paid_holidays']}', '{$_POST['hours_per_holiday']}', '{$_POST['paid_vacation']}',
						'{$_POST['vacation_hours_per_year']}', '{$_POST['paid_personal']}', '{$_POST['personal_hours_per_year']}', '{$_POST['direct_deposit']}', '{$_POST['number_tax_allowances']}', '{$_POST['username']}',
						'{$_POST['password']}', '" . get_current_date() . "', '" . get_current_date() . "', '" . get_current_username() . "', '" . get_current_username() . "', 'NULL'
					)";

It is not working though, wont parse.

#11 True`Logic

True`Logic
  • Members
  • PipPipPip
  • Advanced Member
  • 59 posts

Posted 29 September 2006 - 06:27 PM

if(isset($_POST["moo")) {
$moo = $_POST["moo"];
$moo = str_replace(...);
//--...
}
else { die("Error, no input"); }


sweet, simple, fast, easy =]

#12 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 29 September 2006 - 06:32 PM

True` Logic:


Huh? How is what you wrote going to generate a mysql insert query which I have above?

#13 HuggieBear

HuggieBear
  • Members
  • PipPipPip
  • Advanced Member
  • 1,899 posts
  • LocationEngland, UK

Posted 29 September 2006 - 06:39 PM

It's not beacuse of the curly braces that it's not inserting.  It's probably due to the functions you're trying to insert!

Do any processing outside of the query...
$username = get_current_username();
$sql = "INSERT INTO table (username) VALUES ('$username')";

Not like this:
$sql = "INSERT INTO table (username) VALUES ('.get_current_username().')";

You could even use some SQL commands to save even more time...
$sql = "INSERT INTO table (date_last_modified) VALUES (curdate())";

Regards
Huggie
Advice to MySQL users: Get phpMyAdmin and test your queries work there first, take half the hassle out of diagnosis, also check the reserved words list.

Links: PHP Docs :: RegEx's :: MySQL :: DevGuru :: w3schools

#14 JustinK101

JustinK101
  • Members
  • PipPipPip
  • Advanced Member
  • 503 posts
  • LocationSan Diego, California, US

Posted 29 September 2006 - 06:48 PM

Yeah I found it, it was another fuction, so the above code with the curly braces work, just a lot of typing. Sigh. :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users