NoobLaPHP Posted April 16, 2014 Share Posted April 16, 2014 $liked = explode(":", $_POST[submit]); if($liked[0] == "like"){ //Select from database where id is $liked[1] } <input type="image" src="images/arrowup.gif" name="submit" value="like:<? echo $right->id; ?>"/> Ok, so i have made a forum and i have a like function running on the comments of a post. I needed to find a way when the image was clicked it updated the database. So i experimented and came up with the solution above having it explode the value of the button to read if it was press and get the id. It works perfectly but i just want to be convinced it is safe. Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/ Share on other sites More sharing options...
.josh Posted April 16, 2014 Share Posted April 16, 2014 it is a trivial thing to change the value of an input field, regardless of what type it is. You need to make sure that $liked[1] contains an expected value, same as any other value coming from a request. Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476431 Share on other sites More sharing options...
Psycho Posted April 16, 2014 Share Posted April 16, 2014 I don't understand. Why is there a ':' in the submitted value? I am assuming that the image is sending the data via an AJAX request rather than the image being a submit button. So, why not have the data sent as a single name/value pair with the name being something more obvious such as 'like'? if(isset($_POST['like'])) { $likedID = intval($_POST['like']); } Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476432 Share on other sites More sharing options...
NoobLaPHP Posted April 16, 2014 Author Share Posted April 16, 2014 it is a trivial thing to change the value of an input field, regardless of what type it is. You need to make sure that $liked[1] contains an expected value, same as any other value coming from a request. It requires both items to be filled. If either is empty it shows nothing if($liked[0] == "like"){ if(!$liked[1]){ //Do nothing }else{ //Select from database where id is $liked[1] } } Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476433 Share on other sites More sharing options...
.josh Posted April 16, 2014 Share Posted April 16, 2014 umm, checking if it's empty in no way makes it safe. Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476434 Share on other sites More sharing options...
NoobLaPHP Posted April 16, 2014 Author Share Posted April 16, 2014 (edited) I don't understand. Why is there a ':' in the submitted value? I am assuming that the image is sending the data via an AJAX request rather than the image being a submit button. So, why not have the data sent as a single name/value pair with the name being something more obvious such as 'like'? if(isset($_POST['like'])) { $likedID = intval($_POST['like']); } I don't fully understand ajax, i'm still learning all this. I have done it using php. The value gets the like part and also the id for the post to like so it will be like like:387 if the php reads the like, it then reads the id where it updates the database $replyid = mysql_real_escape_string(addslashes(strip_tags($liked[1]))); mysql_query("UPDATE replies SET likes='...' WHERE id='$replyid'"); etc, any help is good. It helps learn Edited April 16, 2014 by NoobLaPHP Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476435 Share on other sites More sharing options...
Solution Psycho Posted April 16, 2014 Solution Share Posted April 16, 2014 OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array: <input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/> if(isset($_POST['like'])) { //User submitted one or more likes foreach($_POST['like'] as $likeID) { //Perform whatever operations you want based upon the ids passes $likeID = intval($likeID); } } Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed. Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476436 Share on other sites More sharing options...
NoobLaPHP Posted April 16, 2014 Author Share Posted April 16, 2014 OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array: <input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/> if(isset($_POST['like'])) { //User submitted one or more likes foreach($_POST['like'] as $likeID) { //Perform whatever operations you want based upon the ids passes $likeID = intval($likeID); } } Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed. It's sending the id through as 32. 71. 10 Not sure what i've done or haven't done. All i did was fill in the blanks Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476438 Share on other sites More sharing options...
NoobLaPHP Posted April 16, 2014 Author Share Posted April 16, 2014 OK, I see you are submitting the page. But, again, why not make the name something more representative of what it actually is? If you need multiple 'likes' on the same page, make the name an array: <input type="image" src="images/arrowup.gif" name="like[]" value="<? echo $right->id; ?>"/> if(isset($_POST['like'])) { //User submitted one or more likes foreach($_POST['like'] as $likeID) { //Perform whatever operations you want based upon the ids passes $likeID = intval($likeID); } } Based upon how you would use it, the code should only ever receive a single value. But, since you would need an array to set it up, it's best to allow the code to process multiple if needed. You sir, are awesome! after a few tweaks, i managed to fix it and get it working as it should. Thank you. Quote Link to comment https://forums.phpfreaks.com/topic/287827-explode-on-buttons-is-it-safe/#findComment-1476442 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.