Links No Clicking

[derekshull]

I created a folder system and this piece of code is in a column that list all the folders that have been created by the user. It then is supposed to allow the user to click on the folder name (link) and send it to a page that displays all the items that have been tagged with that folder name.

 

My problem is that it's not clicking through to the page. You can click the link but it just sits there and does nothing. When only 1 folder is created it's fine but if you create more than one folder it just sits there. Any ideas?

 

global $user;
$username = $user->name;


$listquery = mysql_query("SELECT * FROM folders WHERE username='$username'");


while ($rows = mysql_fetch_array($listquery)) {


$id = $rows['ID'];
$username = $rows['username'];
$foldername = $rows['foldername'];
$newfoldername = mysql_real_escape_string($foldername);


echo "
<script type='text/javascript'>
function submitform()
{
 document.myform.submit();
}
</script>
<form name='myform' action='viewfolder' method='post'>
<input type='hidden' name='foldertoview' value='$newfoldername'/>
<a href='javascript: submitform()'>$newfoldername</a>
</form>
<br>
";


}

[krisw44]

I think the problem is that you are declaring the function for "submitform" inside of the while loop. So there is a function name conflict when you have more than one folder. The form is the same name every time too... You should probably increment the form name and them pass the increment value to the function so that it know which form to pull the data from.

[Psycho]

Have you looked at the actual source code created? Have you used any error console within your browser to see what javascript errors are being thrown? If you had done either I'm sure you'd see the problem. Plus, I can tell you're doign it wrong because you are using global and you are using mysql_real_escape_string() to escape data for the HTML page (?).

 

You have a while loop that is generating content. Part of that content is a javascript function. You cannot have two functions with the same name in your page! And, the way you are doing this is way more complicated than it should be.

 

You should

1. Use a common HTML hyperlink and send the folder ID as part of the query string

2. Change your viewfolder script to use the folder ID instead of the folder name

 

global $user;
$username = $user->name;
$listquery = mysql_query("SELECT ID, foldername FROM folders WHERE username='$username'");

while ($rows = mysql_fetch_array($listquery))
{
   $foldername = htmlentities($foldername);
   echo "<a href='viewfolder.php?if={$rows['ID']}'>{$foldername}</a><br>\n";
}

[derekshull]

I tried this but no luck :-/

 

global $user;
$username = $user->name;


echo "<br><a href='http://www.1511project.com/node/viewmyprojects'>All Needs</a><br>";


$listquery = mysql_query("SELECT * FROM folders WHERE username='$username'");
$i=1;


while ($rows = mysql_fetch_array($listquery)) {


$id = $rows['ID'];
$username = $rows['username'];
$foldername = $rows['foldername'];
$newfoldername = mysql_real_escape_string($foldername);


echo "
<script type='text/javascript'>
function submitform".$i++."()
{
 document.myform.submit();
}
</script>
<form name='myform".$i++."' action='viewfolder' method='post'>
<input type='hidden' name='foldertoview' value='$newfoldername'>
<a href='javascript: submitform".$i++."()'>$newfoldername</a>
</form>
";


}

[derekshull]

Psycho couldn't someone just put in another ID and view some else's folder if I did it the way you laid out? I put the code you provided in but nothing came up when I did that.

[Psycho]

Psycho couldn't someone just put in another ID and view some else's folder if I did it the way you laid out? I put the code you provided in but nothing came up when I did that.

 

Using a form is adding no more security than allowing the ID to be put on the query string. It is a trivial task to modify the data being sent in a form (even in hidden and select fields). That is why you should ALWAYS validate data coming from the user (POST, GET, COOKIE, etc.). So, your page to display the folder contents should verify that the ID belongs to the user which you already know based upon session data, right? You should probably be storing the user ID in session rather than username though.

Edited November 16, 2012 by Psycho

[derekshull]

Krisw44 wins this round he set me on the right track. Here's what I came up with that works:

 

global $user;
$username = $user->name;









echo "<br><a href='http://www.1511project.com/node/viewmyprojects'>All Needs</a><br>";









$listquery = mysql_query("SELECT * FROM folders WHERE username='$username'");
$i=1;









while ($rows = mysql_fetch_array($listquery)) {









$id = $rows['ID'];
$username = $rows['username'];
$foldername = $rows['foldername'];
$newfoldername = mysql_real_escape_string($foldername);
$j = $i++;





echo "
<script type='text/javascript'>
function submitform".$j."()
{
 document.myform".$j.".submit();
}
</script>
<form name='myform".$j."' action='viewfolder' method='post'>
<input type='hidden' name='foldertoview' value='$newfoldername'>
<a href='javascript: submitform".$j."()'>$newfoldername</a>
</form>
";


}

[Psycho]

There is absolutely no need to create a function for every link! You can just echo the function BEFORE the loop. The only reason I didn't give you code for that was because this process is much more difficult than it should be to begin with. And, as I stated, using "hidden" fields adds absolutely NO security.