jay7981 Posted February 23, 2011 Share Posted February 23, 2011 ok this may not be able to be done .... but here goes nothing ... i have a roster that displays member names as a link to thier profile using a form and onclick submit() now what i didnt realize is that the form name will have to increment for each record returned from the query. i am by no means a guru with php so i need some help adding the foreach statement and setting the form name to increment each time what i need: I need this to automatically go +1 for each record returned <form name="view3" action="./viewinfo.php" method="post"> <a href="#" onclick="document['view3'].submit()"> and i need the correct way to use the foreach statement ... i have read the manual and it just confuzzeled me . here is what i have so far. <?php include './clan_new/config.php'; include './clan_new/access.php'; $db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error()); mysql_select_db($database); $query = "SELECT * FROM $member_table WHERE $member_table.rank = 6 ORDER BY $member_table.name ASC"; $result = mysql_query($query) or die ('Failed to query ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { $steamid = $row['authid']; $name = $row['name']; $email = $row['email']; $fid = $row['fid']; $avatar = $row['avatar']; echo "<tr>"; if ($avatar==""){ echo "<td> </td>"; } else{ echo "<td><img height='35' width='35' src='./clan_new/avatars/$avatar'></td>"; } ?> <form name="view3" action="./viewinfo.php" method="post"> <input type="hidden" id="authid" name="authid" value="<?php echo "$steamid" ; ?>" /> </form> <td align="center"><a href="#" onclick="document['view3'].submit()"> <?php echo "$name" ; ?></a></td> <?php echo "<td align=\"center\"><a class=\"style2\" href=\"mailto:$email\" class=\"style2\">$email</a></td>"; if ($fid==""){ echo ""; } else{ echo "<td align=\"center\">+<a class=\"style2\" href=\"steam://friends/add/$fid\">Friend</a></td>"; } echo "</tr>"; } mysql_free_result($result); mysql_close($db); ?> Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/ Share on other sites More sharing options...
cs.punk Posted February 23, 2011 Share Posted February 23, 2011 I don't quite understand what you need to increment? The form name? Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178553 Share on other sites More sharing options...
codebyren Posted February 23, 2011 Share Posted February 23, 2011 Well, you don't really need a foreach statement here (assuming I understand what you're looking for). Try something like this: <?php // Snippet of your original code with some modifications $result = mysql_query($query) or die ('Failed to query ' . mysql_error()); $form_counter = 1; # a counter to increment for each of your forms while ($row = mysql_fetch_assoc($result)) { $steamid = $row['authid']; // etc. ?> <!-- here we append the form_counter variable to the form name etc. --> <form name="view<?php echo $form_counter; ?>" action="./viewinfo.php" method="post"> <input type="hidden" id="authid" name="authid" value="<?php echo "$steamid" ; ?>" /> </form> <td align="center"><a href="#" onclick="document['view<?php echo $form_counter; ?>'].submit()"> <?php echo "$name" ; ?></a></td> <?php // your code continues... // ... // Then increment the form_counter variable for the next run of 'while' $form_counter++; } ?> That should get you going but just as a heads-up: the standard way to do this sort of "view user" thing would be to pass the user's steam (or authid whatever) in the URL. No forms required: <a href="viewinfo.php?authid=<?php echo $steamid; ?>"><?php echo htmlentities($name); ?></a> This would churn out something like http://yoursite.net/viewinfo.php?authid=1234 Then get the id from the url on trhe viewinfo.php page like so: if (isset($_GET['authid'])) { $steamid = $_GET['authid']; } else { $steamid = False; } // Now get the user info from the db if ($steamid) { // Remember to sanitize $steamid before using it in a db query... } Hope that helps. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178572 Share on other sites More sharing options...
jay7981 Posted February 23, 2011 Author Share Posted February 23, 2011 thanks i will try that code as soon as i get home, the reason i am not using _GET method is i was told that it was unsafe against sql injections and that POST was safer ... is this true? if not then i could change to get. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178681 Share on other sites More sharing options...
AbraCadaver Posted February 23, 2011 Share Posted February 23, 2011 thanks i will try that code as soon as i get home, the reason i am not using _GET method is i was told that it was unsafe against sql injections and that POST was safer ... is this true? if not then i could change to get. You should use get to "get" / retrieve something (though post will work as well). Always use post to add, delete, change. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178697 Share on other sites More sharing options...
Muddy_Funster Posted February 23, 2011 Share Posted February 23, 2011 _POST is safer, but still not 100% (or so I am led to believe). using url variable passing is not nearly as popular as it used to be, which is kinda unfortunate when it comes to links in spam emails, but cleaner for everything else. I personaly would go down the hidden field in a form or session variable rout rather than the url?variable= but that's because I like to keep users ignorant of the workings of my sites - lets face it, if they want to know what variables I'm passing, it's not going to be for anything that will benifit me. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178700 Share on other sites More sharing options...
Adam Posted February 23, 2011 Share Posted February 23, 2011 No user input is safe. It doesn't matter whether you use _GET, _POST or _REQUEST - a malicious user can still change the value to whatever they like. All data should be sanitized before use within a query, and the logic within your code should prevent someone doing something they shouldn't by just changing the value of the parameter. It's only considered good practise to use the right method for the type of request you're making. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178723 Share on other sites More sharing options...
Adam Posted February 23, 2011 Share Posted February 23, 2011 using url variable passing is not nearly as popular as it used to be, which is kinda unfortunate when it comes to links in spam emails, but cleaner for everything else. What do you mean by that? How do you think the parameters are passed to this exact page? Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178731 Share on other sites More sharing options...
jay7981 Posted February 23, 2011 Author Share Posted February 23, 2011 what do you mean by sanitize ? i know that is a really N00b question but i am that said N00b oh and i switched to the GET method and it works like a charm THANKS behicthebuilder! Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178733 Share on other sites More sharing options...
Adam Posted February 23, 2011 Share Posted February 23, 2011 If you're using MySQL, pass strings through mysql_real_escape_string. That will prevent against SQL injections. If you're working with numeric types, then intval or floatval should be used, as it's possible to inject SQL without using quotes. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178737 Share on other sites More sharing options...
jay7981 Posted February 23, 2011 Author Share Posted February 23, 2011 ok so with the code below how would i sanitize? a steamID/authid looks like this STEAM_0:1:16111244 roster.php <?php include './clan_new/config.php'; include './clan_new/access.php'; $db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error()); mysql_select_db($database); $query = "SELECT * FROM $member_table WHERE $member_table.rank = 7 ORDER BY $member_table.name ASC"; $result = mysql_query($query) or die ('Failed to query ' . mysql_error()); while ($row = mysql_fetch_assoc($result)) { $steamid = $row['authid']; $name = $row['name']; $email = $row['email']; $fid = $row['fid']; $avatar = $row['avatar']; echo "<tr>"; if ($avatar==""){ echo "<td> </td>"; } else{ echo "<td><img height='35' width='35' src='./clan_new/avatars/$avatar'></td>"; } ?> <td align="center"><a href="viewinfo.php?authid=<?php echo $steamid; ?>"><?php echo htmlentities($name); ?></a></td> <?php echo "<td align=\"center\"><a class=\"style2\" href=\"mailto:$email\" class=\"style2\">$email</a></td>"; if ($fid==""){ echo ""; } else{ echo "<td align=\"center\">+<a class=\"style2\" href=\"steam://friends/add/$fid\">Friend</a></td>"; } echo "</tr>"; } mysql_free_result($result); mysql_close($db); ?> viewinfo.php <?php //Thanks to behicthebuilder if (isset($_GET['authid'])){ $steamid = $_GET['authid']; } else{ $steamid = False; } // Now get the user info from the db if ($steamid){ include './config.php'; include './access.php'; $db = mysql_connect ($hostname, $username, $password) or die ('Failed to connect to database: ' . mysql_error()); mysql_select_db ($database); $query = "SELECT a.authid, a.avatar, a.rank, a.name, a.email, a.fid, b.auth, b.name AS amx_name, b.access, c.id AS sm_id, c.name AS sm_name, c.identity, d.id AS grp_id, d.name AS grp_name, d.flags, d.immunity_level, e.group_id, e.admin_id FROM $member_table a INNER JOIN $admin_table b ON a.authid = b.auth INNER JOIN $smadmin_table c ON a.authid = c.identity INNER JOIN $smadmgrp_table e ON c.id = e.admin_id INNER JOIN $smgroups_table d ON d.id = e.group_id WHERE a.authid= '$steamid'"; $result = mysql_query($query) or die ("Cannot query table " . mysql_error()); $row = mysql_fetch_assoc($result); //clan_members a $authid = $row['authid']; //steamid $rank = $ranks[$row['rank']]; $name = $row['name']; $email = $row['email']; $fid = $row['fid']; $rank_num = $row['rank']; $avatar = $row['avatar']; //admins b $auth = $row['auth']; //steamid $amx_name = $row['amx_name']; $access = $row['access']; //sm_admins c $sm_id = $row['sm_id']; $sm_name = $row['sm_name']; $identity = $row['identity']; $group = $groups[$row['group_id']]; //sm_groups d $grp_id = $row['grp_id']; $grp_name = $row['grp_name']; $flags = $row['flags']; $immunity_level = $row['immunity_level']; //sm_admins_groups e $admin_id = $row['admin_id']; $group_id = $row['group_id']; mysql_free_result($result); mysql_close($db); ?> <table width="100%" border="0" cellpadding="3" cellspacing="3"> <tr> <th scope="row" colspan="4">Member Details for: <?php echo "$name"; ?></th> </tr> <tr> <th width="25%" scope="row"><div align="left">SteamID:</div></th> <td width="75%"><div align="left"> <?php echo "$auth"; ?> </div></td> </tr> <tr> <th scope="row"><div align="left">Name:</div></th> <td><div align="left"> <?php echo "$name"; ?> </div></td> </tr> <tr> <th scope="row"><div align="left">Rank:</div></th> <td><div align="left"> <?php echo "$rank"; ?> </div></td> </tr> <tr> <th scope="row"><div align="left">Email:</div></th> <td><div align="left"> <a href="mailto://<?php echo "$email"; ?>"><?php echo "$email"; ?></a> Email Me </div></td> </tr> <tr> <th scope="row"><div align="left">FriendsID:</div></th> <td><div align="left"> <a href="steam://friends/add/<?php echo "$fid"; ?>"><?php echo "$fid"; ?></a> Add to Friends </div></td> </tr> <tr> <th scope="row"><div align="left">AMXX Flags:</div></th> <td><div align="left"> <?php echo "$access"; ?> </div></td> </tr> <tr> <th scope="row"><div align="left">SourceMod Group:</div></th> <td><div align="left"> <?php echo "$group"; ?> </div></td> </tr> <tr> <th scope="row"><div align="left">Immunity Level:</div></th> <td><div align="left"><?php echo "$immunity_level"; ?></div></td> </tr> <tr> <th scope="row"><div align="left">SourceMod Flags:</div></th> <td><div align="left"><?php echo "$flags"; ?></div></td> </tr> <tr> <th scope="row"> <?php if ($avatar==""){ echo " "; } else{ echo "Avatar"; } ?></th> <td align="left"> <?php if ($avatar==""){ echo " "; } else{ echo "<img height='35' width='35' src='./clan_new/avatars/$avatar'>"; } ?> <div align="left"></div></td> </tr> <tr> <th scope="row"><div align="left"> </div></th> <td> <input type="button" value="Back" onClick="history.go(-1);return true;"></td> </tr> </table> <?php } ?> Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178744 Share on other sites More sharing options...
codebyren Posted February 23, 2011 Share Posted February 23, 2011 You'll want to sanitize whenever you are passing user-generated values to a database query. You can get a bit more info about why on this page: http://php.net/manual/en/function.mysql-real-escape-string.php So on your viewinfo.php page, you're taking the authid from the $_GET array and then using it in a query. This is completely normal but you absolutely must sanitize the data as a user could easily manipulate the authid in the URL. $steamid = 'A value passed in the URL ($_GET)'; # Not safe (yet) since user can easily manipulate this. // Connect to the db as normal // Sanitize data before running any queries $clean_steamid = mysql_real_escape_string($steamid); $query = "SELECT whatever FROM whatever WHERE a.authid = '$clean_steamid'"; # NOTE: we use the sanitized version here. // Carry on as normal You could also look into using a regular expression (google it) to check that the data in $steamid actually looks like a steam id before using it in the query but that's probably for another day. Lastly, any user-generated data can also be dangerous if you are echo-ing it in your HTML. So you'll probably want to look into Cross Site Scripting (XSS) attacks next. Enjoy. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178831 Share on other sites More sharing options...
jay7981 Posted February 23, 2011 Author Share Posted February 23, 2011 hey thanks BB again for all your help .. as i have been reading about regex this would be a proper use right ? SteamIDs look like this ... STEAM_0:0:00000000 STEAM_ will stay teh same always 0: will stay 1 digit from 0-9 0: will stay 1 digit from 0-9 the last set will be 0-9 and a length of 1 to 9 digits this is teh preg_match i came up with preg_match(#STEAM_([0-9]+){1}\[0-9]+){1}[0-9]+){0}#) Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1178871 Share on other sites More sharing options...
codebyren Posted February 24, 2011 Share Posted February 24, 2011 Not sure where you got the '#' characters from but the rest is fairly close. Here's what I would probably use based on what you said a steam id looks like: <?php $steam_id = "STEAM_0:0:000000000"; $pattern = '/^STEAM_[0-9]:[0-9]:[0-9]{1,9}$/'; if (preg_match($pattern, $steam_id)) { // Great } ?> There's a heap of regrex tutorials out there so I'm not going to go into details about each part of the pattern. There's also a dedicated regex child board on this forum. Hope that helps. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179007 Share on other sites More sharing options...
Adam Posted February 24, 2011 Share Posted February 24, 2011 Not sure where you got the '#' characters from but the rest is fairly close. Actually the delimiters can be any matching characters you want. You can also use opening/closing paired characters, such as "<...>" and "(...)". Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179014 Share on other sites More sharing options...
AbraCadaver Posted February 24, 2011 Share Posted February 24, 2011 Regex is great, but not always needed. This or a variation to capture only what you want will work: $steam_id = 'STEAM_0:0:00000000'; list($first, $second, $third, $fourth) = sscanf($steam_id, '%s_%d:%d:%d'); //or sscanf($steam_id, '%s_%d:%d:%d', $first, $second, $third, $fourth); Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179120 Share on other sites More sharing options...
codebyren Posted February 25, 2011 Share Posted February 25, 2011 Actually the delimiters can be any matching characters you want. You can also use opening/closing paired characters, such as "<...>" and "(...)". Good to know. I've been using '/' so long that I thought it was a requirement. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179333 Share on other sites More sharing options...
codebyren Posted February 25, 2011 Share Posted February 25, 2011 Regex is great, but not always needed. This or a variation to capture only what you want will work: $steam_id = 'STEAM_0:0:00000000'; list($first, $second, $third, $fourth) = sscanf($steam_id, '%s_%d:%d:%d'); //or sscanf($steam_id, '%s_%d:%d:%d', $first, $second, $third, $fourth); In this case I think the requirement was only to check if a string looked like a steam id in general (not to capture values from it). That being said, I have never seen the sscanf function before and it looks very useful so cheers for that. Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179337 Share on other sites More sharing options...
jay7981 Posted February 25, 2011 Author Share Posted February 25, 2011 Thanks again guys i will study more about regex and sscanf this has helped me a ton! Quote Link to comment https://forums.phpfreaks.com/topic/228575-phpmysql-foreach-to-increment-a-value/#findComment-1179396 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.