phppup Posted March 20, 2012 Share Posted March 20, 2012 My code looks something like this: //section one apples = $POST ['apples'] donuts =$POST['donuts'] SQL= blah blah blah //section two INSERT (apples, donuts) VALUES ($apples, $donuts) etc Is "section one" necessary to have in my script, or is redundant since the values are indicated in my results statement? I need clarification from people who know this stuff well. Thanks Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted March 20, 2012 Share Posted March 20, 2012 ok, let me start by saying please reword the question, prefferably pointing out what your "results statement" is and some rough idea of what the scrip is actualy doing. Quote Link to comment Share on other sites More sharing options...
requinix Posted March 20, 2012 Share Posted March 20, 2012 It is not necessary. However it is bad form to modify the values in $_POST et al. so if you need to do something to them then keep that first section and modify your variables instead. Quote Link to comment Share on other sites More sharing options...
phppup Posted March 20, 2012 Author Share Posted March 20, 2012 Let me try to make this a little more clear: My code looks something like this: //section ONE apples = $POST ['apples'] donuts =$POST['donuts'] SQL= blah blah blah //section TWO INSERT (apples, donuts) VALUES ($apples, $donuts) etc Is "section ONE" necessary to have in my script, or is redundant since the values are indicated in my results statement? Some have said it's UNNECESSARY because the same info is being stated in section TWO, and others have indicated that it is "proper protocol" to aid in the scripts processing. Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted March 20, 2012 Share Posted March 20, 2012 Looking at that I don't see how section 2 would have the first clue what $apples and $donuts would be without them first being assigned in section 1 (as I assume you just missed the $ prefix of the apples and donuts in this section), unless perhaps it's in this "results statement" that you can't be bothered to describe in any sort of detail. If it's too much trouble to word a question in a way that makes sense, why bother asking it in the first place? Quote Link to comment Share on other sites More sharing options...
DavidAM Posted March 20, 2012 Share Posted March 20, 2012 $_POST (there is an underscore in there) is where PHP holds the values POSTed from a form, so that your script can get to them. If you are running an old version of PHP and/or you have register_globals turned on, then the first two statements are redundant. However, having register_globals on is a major security risk! The "best practice" is to run with register_globals off and do something like this: $apples = (isset($_POST['apples']) ? $_POST['apples'] : ''); $donuts = (isset($_POST['donuts']) ? $_POST['donuts'] : ''); /* Verify that the values for "apples" and "donuts" are valid (whatever "valid" means to your application) */ // Prepare for SQL (assuming mysql here) $apples = mysql_real_escape_string($apples); $donuts = mysql_real_escape_string($donuts); $sql = "INSERT INTO myTable (appleColumn, donutColumn) VALUES ('$apples', '$donuts')"; I have over-simplified that example. The point is, Test to see if the values were provided; Validate the values to be sure the are acceptable; Sanitize the data to prevent SQL injection attacks; Build the SQL statement separately (to make debugging simpler); Send it to the database (not shown in the example). Quote Link to comment Share on other sites More sharing options...
phppup Posted March 20, 2012 Author Share Posted March 20, 2012 Thank you DAVID! Over-simplification EXPLAINS things perfectly; especially to those of us who might not truly realize WHAT were ASKING or WHY others think it's a problem. Now I not only got my answer, but ALSO understand the importance of the sections. PS: can you elaborate on the ISSET. I know it's the brief version of an IF, but it's caused me problems in the past. I have SANITATIoN and VALIDATION on my input fields, and the rest are dropdown menus. Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually? Quote Link to comment Share on other sites More sharing options...
cpd Posted March 20, 2012 Share Posted March 20, 2012 $var = (if 1 = 1 ? do this : else do this); Three sections, the if part is the "condition". The "do this" part is the action to be carried out of the condition is true. The "else do this" is the action to be carried out if the conditions is false. Quote Link to comment Share on other sites More sharing options...
rythemton Posted March 20, 2012 Share Posted March 20, 2012 Is there a way to put the "mysql_real_escape_string" is a loop to cover all the variables, or do they need to be sanitized individually? I've used variable variables: $dataentries = array( 'apples', 'donuts' ); foreach( $dataentries AS $value ) { $$value = isset( $_POST[ $value ] ) ? $_POST[ $value ] : ''; $$value = mysql_real_escape_string($$value); } Quote Link to comment Share on other sites More sharing options...
DavidAM Posted March 20, 2012 Share Posted March 20, 2012 The isset call returns true if the variable is defined (has been "set" to a value), and returns false if it has not. The following would accomplish about the same thing, but it would throw an error (actually, a NOTICE) about referencing an undefined variable (or, in this case, an undefined index in the array): $apples = $_POST['apples']; The ternary operator condition ? trueExpression : falseExpression; is a shortcut for an if ... else ... if (isset($_POST['apples'])) { $apples = $_POST['apples']; } else { $apples = ''; } // is exactly the same as $apples = (isset($_POST['apples']) ? $_POST['apples'] : ''); Don't start thinking that your dropdown menu values (<SELECT> fields) are safe. They can be very easily hacked to send you a value you are not expecting. If you use the value directly from the POST array, you must validate and/or sanitize. I don't sanitize my variables until I put them in an SQL statement. Consider: // Values from the form $_POST['apples'] = "I'm here"; $_POST['donuts'] = "What's a \ for?"; // Quick and dirty sanitize $fromUser = array_map('mysql_real_escape_string', $_POST); // Now I want to display what the user typed print "Apples: " . $fromUser['apples'] . "<BR>"; print "Donuts: " . $fromUser['donuts'] . "<BR>"; The output displayed by those statements will be: Apples: I\'m here Donuts: What\'s a \\ for? mysql_real_escape_string() puts backslashes in to protect the database. The database knows to treat these backslashes in a special way. But to the browser, they are just characters to be displayed. This is why I don't "escape_string" until they go into an SQL statement. Quote Link to comment Share on other sites More sharing options...
phppup Posted March 21, 2012 Author Share Posted March 21, 2012 How do I edit the code that "rythemton" mentioned if I'm not writing an array. All the data is coming from a form. I seem to get into trouble whenever there are ARRAYS that are ITEMIZED in the code rather than having values coming from a form or a table. Quote Link to comment Share on other sites More sharing options...
.thumb.jpeg.5da54518df0b69c737e8dabbcace30bb.jpeg)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.