Jump to content

Recommended Posts

ok this may not be able to be done .... but here goes nothing ...

 

i have a roster that displays member names as a link to thier profile using a form and onclick submit() now what i didnt realize is that the form name will have to increment for each record returned from the query.  i am by no means a guru with php so i need some help adding the foreach statement and setting the form name to increment each time

 

 

what i need:

I need this to automatically go +1 for each record returned

<form name="view3" action="./viewinfo.php" method="post"> 

<a href="#" onclick="document['view3'].submit()"> 

 

and i need the correct way to use the foreach statement ... i have read the manual and it just confuzzeled me .

 

 

here is what i have so far.

 


<?php	
include './clan_new/config.php';
include './clan_new/access.php';
$db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error());
mysql_select_db($database);
$query = "SELECT * FROM $member_table WHERE $member_table.rank = 6 ORDER BY $member_table.name ASC";
$result = mysql_query($query) or die ('Failed to query ' . mysql_error());
while ($row = mysql_fetch_assoc($result)) {
	$steamid = $row['authid'];
	$name = $row['name'];
	$email = $row['email'];
	$fid = $row['fid'];
	$avatar = $row['avatar'];
	echo "<tr>";

	if ($avatar==""){
		echo "<td> </td>";
	} else{
		echo "<td><img height='35' width='35' src='./clan_new/avatars/$avatar'></td>";
	}

	?>
        <form name="view3" action="./viewinfo.php" method="post">
        <input type="hidden" id="authid" name="authid" value="<?php  echo "$steamid" ; ?>" />
        </form>
	<td align="center"><a href="#" onclick="document['view3'].submit()"> <?php  echo "$name" ; ?></a></td>
        <?php 
	echo "<td align=\"center\"><a class=\"style2\" href=\"mailto:$email\" class=\"style2\">$email</a></td>";

	if ($fid==""){
		echo "";
	} else{
		echo "<td align=\"center\">+<a class=\"style2\" href=\"steam://friends/add/$fid\">Friend</a></td>";
	}

	echo "</tr>";
}

mysql_free_result($result);
mysql_close($db);
?>

Link to comment
https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/
Share on other sites

Well, you don't really need a foreach statement here (assuming I understand what you're looking for).  Try something like this:

 

<?php 
// Snippet of your original code with some modifications
$result = mysql_query($query) or die ('Failed to query ' . mysql_error());
$form_counter = 1; # a counter to increment for each of your forms
while ($row = mysql_fetch_assoc($result)) {
$steamid = $row['authid'];
// etc.
?>
<!-- here we append the form_counter variable to the form name etc. -->
<form name="view<?php echo $form_counter; ?>" action="./viewinfo.php" method="post">
	<input type="hidden" id="authid" name="authid" value="<?php  echo "$steamid" ; ?>" />
</form>
<td align="center"><a href="#" onclick="document['view<?php echo $form_counter; ?>'].submit()"> <?php  echo "$name" ; ?></a></td>

<?php
// your code continues...
// ...
// Then increment the form_counter variable for the next run of 'while'
$form_counter++;
}
?>

 

That should get you going but just as a heads-up: the standard way to do this sort of "view user" thing would be to pass the user's steam (or authid whatever) in the URL.  No forms required:

 

<a href="viewinfo.php?authid=<?php echo $steamid; ?>"><?php echo htmlentities($name); ?></a>

 

This would churn out something like http://yoursite.net/viewinfo.php?authid=1234

 

Then get the id from the url on trhe viewinfo.php page like so:

 

if (isset($_GET['authid']))
{
$steamid = $_GET['authid'];
}
else
{
$steamid = False;
}
// Now get the user info from the db
if ($steamid)
{
// Remember to sanitize $steamid before using it in a db query...
}

 

Hope that helps.

 

thanks i will try that code as soon as i get home, the reason i am not using _GET  method is i was told that it was unsafe against sql injections and that POST was safer ... is this true? if not then i could change to get.

thanks i will try that code as soon as i get home, the reason i am not using _GET  method is i was told that it was unsafe against sql injections and that POST was safer ... is this true? if not then i could change to get.

 

You should use get to "get" / retrieve something (though post will work as well).  Always use post to add, delete, change.

_POST is safer, but still not 100% (or so I am led to believe).  using url variable passing is not nearly as popular as it used to be, which is kinda unfortunate when it comes to links in spam emails, but cleaner for everything else.  I personaly would go down the hidden field in a form or session variable rout rather than the url?variable= but that's because I like to keep users ignorant of the workings of my sites - lets face it, if they want to know what variables I'm passing, it's not going to be for anything that will benifit me.

No user input is safe. It doesn't matter whether you use _GET, _POST or _REQUEST - a malicious user can still change the value to whatever they like. All data should be sanitized before use within a query, and the logic within your code should prevent someone doing something they shouldn't by just changing the value of the parameter.

 

It's only considered good practise to use the right method for the type of request you're making.

using url variable passing is not nearly as popular as it used to be, which is kinda unfortunate when it comes to links in spam emails, but cleaner for everything else.

 

What do you mean by that? How do you think the parameters are passed to this exact page?

If you're using MySQL, pass strings through mysql_real_escape_string. That will prevent against SQL injections.

 

If you're working with numeric types, then intval or floatval should be used, as it's possible to inject SQL without using quotes.

ok so with the code below how would i sanitize? a steamID/authid looks like this STEAM_0:1:16111244

 

roster.php

<?php	
include './clan_new/config.php';
include './clan_new/access.php';
$db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error());
mysql_select_db($database);
$query = "SELECT * FROM $member_table WHERE $member_table.rank = 7 ORDER BY $member_table.name ASC";
$result = mysql_query($query) or die ('Failed to query ' . mysql_error());
while ($row = mysql_fetch_assoc($result)) {
	$steamid = $row['authid'];
	$name = $row['name'];
	$email = $row['email'];
	$fid = $row['fid'];
	$avatar = $row['avatar'];
	echo "<tr>";

	if ($avatar==""){
		echo "<td> </td>";
	} else{
		echo "<td><img height='35' width='35' src='./clan_new/avatars/$avatar'></td>";
	}

	?>
        <td align="center"><a href="viewinfo.php?authid=<?php  echo $steamid; ?>"><?php  echo htmlentities($name); ?></a></td>
        <?php 
	echo "<td align=\"center\"><a class=\"style2\" href=\"mailto:$email\" class=\"style2\">$email</a></td>";

	if ($fid==""){
		echo "";
	} else{
		echo "<td align=\"center\">+<a class=\"style2\" href=\"steam://friends/add/$fid\">Friend</a></td>";
	}

	echo "</tr>";
}

mysql_free_result($result);
mysql_close($db);
?>

 

viewinfo.php

<?php 
//Thanks to behicthebuilder
if (isset($_GET['authid'])){
	$steamid = $_GET['authid'];
} else{
	$steamid = False;
}

// Now get the user info from the db

if ($steamid){

	include './config.php';
	include './access.php';
	$db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error());
	mysql_select_db ($database);
	$query = "SELECT a.authid, a.avatar, a.rank, a.name, a.email, a.fid, b.auth, b.name AS amx_name, b.access, c.id AS sm_id, c.name AS sm_name, c.identity, d.id AS grp_id, d.name AS grp_name, d.flags, d.immunity_level, e.group_id, e.admin_id FROM $member_table a INNER JOIN $admin_table b ON a.authid = b.auth INNER JOIN $smadmin_table c ON a.authid = c.identity INNER JOIN $smadmgrp_table e ON c.id = e.admin_id INNER JOIN $smgroups_table d ON d.id = e.group_id WHERE a.authid= '$steamid'";
	$result = mysql_query($query) or die ("Cannot query table " . mysql_error());
	$row = mysql_fetch_assoc($result);

                                //clan_members a
	$authid = $row['authid'];    //steamid
	$rank = $ranks[$row['rank']];
	$name = $row['name'];
	$email = $row['email'];
	$fid = $row['fid'];
	$rank_num = $row['rank'];
	$avatar = $row['avatar'];

                                //admins b
	$auth = $row['auth'];    //steamid
	$amx_name = $row['amx_name'];
	$access = $row['access'];

                                //sm_admins c
	$sm_id = $row['sm_id'];
	$sm_name = $row['sm_name'];
	$identity = $row['identity'];
	$group = $groups[$row['group_id']];

                                //sm_groups d
	$grp_id = $row['grp_id'];
	$grp_name = $row['grp_name'];
	$flags = $row['flags'];
	$immunity_level = $row['immunity_level'];

                                //sm_admins_groups e
	$admin_id = $row['admin_id'];
	$group_id = $row['group_id'];

                                mysql_free_result($result);
	mysql_close($db);
	?>
<table width="100%" border="0" cellpadding="3" cellspacing="3">
  <tr>
    <th scope="row" colspan="4">Member Details for: <?php  echo "$name"; ?></th>
  </tr>
  <tr>
    <th width="25%" scope="row"><div align="left">SteamID:</div></th>
    <td width="75%"><div align="left">
        <?php  echo "$auth"; ?>
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">Name:</div></th>
    <td><div align="left">
        <?php  echo "$name"; ?>
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">Rank:</div></th>
    <td><div align="left">
        <?php  echo "$rank"; ?>
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">Email:</div></th>
    <td><div align="left">
        <a href="mailto://<?php  echo "$email"; ?>"><?php  echo "$email"; ?></a>  Email Me
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">FriendsID:</div></th>
    <td><div align="left">
        <a href="steam://friends/add/<?php  echo "$fid"; ?>"><?php  echo "$fid"; ?></a>  Add to Friends
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">AMXX Flags:</div></th>
    <td><div align="left">
        <?php  echo "$access"; ?>
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">SourceMod Group:</div></th>
    <td><div align="left">
        <?php  echo "$group"; ?>
      </div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">Immunity Level:</div></th>
    <td><div align="left"><?php  echo "$immunity_level"; ?></div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left">SourceMod Flags:</div></th>
    <td><div align="left"><?php  echo "$flags"; ?></div></td>
  </tr>
  <tr>
  <th scope="row">
  <?php 

	if ($avatar==""){
		echo " ";
	} else{
		echo "Avatar";
	}

	?></th>
  <td align="left">
  <?php 

	if ($avatar==""){
		echo " ";
	} else{
		echo "<img height='35' width='35' src='./clan_new/avatars/$avatar'>";
	}

	?>
        <div align="left"></div></td>
  </tr>
  <tr>
    <th scope="row"><div align="left"> </div></th>
    <td>
      <input type="button" value="Back" onClick="history.go(-1);return true;"></td>
  </tr>
</table>
<?php
} ?>

You'll want to sanitize whenever you are passing user-generated values to a database query.  You can get a bit more info about why on this page:

http://php.net/manual/en/function.mysql-real-escape-string.php

 

So on your viewinfo.php page, you're taking the authid from the $_GET array and then using it in a query.  This is completely normal but you absolutely must sanitize the data as a user could easily manipulate the authid in the URL.

 

$steamid = 'A value passed in the URL ($_GET)';  # Not safe (yet) since user can easily manipulate this.

// Connect to the db as normal

// Sanitize data before running any queries
$clean_steamid = mysql_real_escape_string($steamid);
$query = "SELECT whatever FROM whatever WHERE a.authid = '$clean_steamid'";  # NOTE: we use the sanitized version here.

// Carry on as normal

 

You could also look into using a regular expression (google it) to check that the data in $steamid actually looks like a steam id before using it in the query but that's probably for another day.

 

Lastly, any user-generated data can also be dangerous if you are echo-ing it in your HTML.  So you'll probably want to look into Cross Site Scripting (XSS) attacks next.

 

Enjoy.

hey thanks BB again for all your help ..

 

as i have been reading about regex this would be a proper use right ?

 

SteamIDs look like this ... STEAM_0:0:00000000

STEAM_ will stay teh same always

0: will stay 1 digit from 0-9

0: will stay 1 digit from 0-9

the last set will be 0-9 and a length of 1 to 9 digits

 

this is teh preg_match i came up with

preg_match(#STEAM_([0-9]+){1}\[0-9]+){1}[0-9]+){0}#)

 

 

Not sure where you got the '#' characters from but the rest is fairly close.

 

Here's what I would probably use based on what you said a steam id looks like:

 

<?php
$steam_id = "STEAM_0:0:000000000";
$pattern = '/^STEAM_[0-9]:[0-9]:[0-9]{1,9}$/';

if (preg_match($pattern, $steam_id))
{
// Great
}
?>

 

There's a heap of regrex tutorials out there so I'm not going to go into details about each part of the pattern. There's also a dedicated regex child board on this forum.

 

Hope that helps.

 

Not sure where you got the '#' characters from but the rest is fairly close.

 

Actually the delimiters can be any matching characters you want. You can also use opening/closing paired characters, such as "<...>" and "(...)".

Regex is great, but not always needed.  This or a variation to capture only what you want will work:

 

$steam_id = 'STEAM_0:0:00000000';

list($first, $second, $third, $fourth) = sscanf($steam_id, '%s_%d:%d:%d');
//or
sscanf($steam_id, '%s_%d:%d:%d', $first, $second, $third, $fourth);

Actually the delimiters can be any matching characters you want. You can also use opening/closing paired characters, such as "<...>" and "(...)".

Good to know.  I've been using '/' so long that I thought it was a requirement.

Regex is great, but not always needed.  This or a variation to capture only what you want will work:

 

$steam_id = 'STEAM_0:0:00000000';

list($first, $second, $third, $fourth) = sscanf($steam_id, '%s_%d:%d:%d');
//or
sscanf($steam_id, '%s_%d:%d:%d', $first, $second, $third, $fourth);

 

In this case I think the requirement was only to check if a string looked like a steam id in general (not to capture values from it).  That being said, I have never seen the sscanf function before and it looks very useful so cheers for that.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.