Jump to content

use form variables before sending them

gralfitox

By gralfitox
in PHP Coding Help

 Share

Recommended Posts

gralfitox Newbie

gralfitox

Posted
Posted

...to obtain an id_item users doesn´t know and I need to send to the DB

 

I got this


<?php require_once('Connections/conexxion.php'); ?>
<?php
if (!function_exists("GetSQLValueString")) {
function GetSQLValueString($theValue, $theType, $theDefinedValue = "", $theNotDefinedValue = "") 
{
  if (PHP_VERSION < 6) {
    $theValue = get_magic_quotes_gpc() ? stripslashes($theValue) : $theValue;
  }

  $theValue = function_exists("mysql_real_escape_string") ? mysql_real_escape_string($theValue) : mysql_escape_string($theValue);

  switch ($theType) {
    case "text":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;    
    case "long":
    case "int":
      $theValue = ($theValue != "") ? intval($theValue) : "NULL";
      break;
    case "double":
      $theValue = ($theValue != "") ? doubleval($theValue) : "NULL";
      break;
    case "date":
      $theValue = ($theValue != "") ? "'" . $theValue . "'" : "NULL";
      break;
    case "defined":
      $theValue = ($theValue != "") ? $theDefinedValue : $theNotDefinedValue;
      break;
  }
  return $theValue;
}
}

$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
  $editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}

if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
  $insertSQL = sprintf("INSERT INTO movimiento (venta, compra, taller, regula_mas, regula_menos, id_lente, id_cil, id_esf) VALUES (%s, %s, %s, %s, %s, %s, %s, %s)",
                       GetSQLValueString($_POST['venta'], "int"),
                       GetSQLValueString($_POST['compra'], "int"),
                       GetSQLValueString($_POST['taller'], "int"),
                       GetSQLValueString($_POST['regula_mas'], "int"),
                       GetSQLValueString($_POST['regula_menos'], "int"),
                       GetSQLValueString($_POST['id_lente'], "int"),
                       GetSQLValueString($_POST['id_cil'], "int"),
                       GetSQLValueString($_POST['id_esf'], "int"));

  mysql_select_db($database_conexxion, $conexxion);
  $Result1 = mysql_query($insertSQL, $conexxion) or die(mysql_error());
}

mysql_select_db($database_conexxion, $conexxion);
$query_lente = "select id_lente, lente from lentes";
$lente = mysql_query($query_lente, $conexxion) or die(mysql_error());
$row_lente = mysql_fetch_assoc($lente);
$totalRows_lente = mysql_num_rows($lente);

mysql_select_db($database_conexxion, $conexxion);
$query_esfera = "SELECT  * FROM esfera";
$esfera = mysql_query($query_esfera, $conexxion) or die(mysql_error());

mysql_select_db($database_conexxion, $conexxion);
$query_cilindro = "SELECT * FROM cilindro";
$cilindro = mysql_query($query_cilindro, $conexxion) or die(mysql_error());

$query_item = "select id_item from item
inner join rx on rx.id_rx = item.id_rx
inner join cilindro on cilindro.id_cil = rx.id_cil
inner join esfera on esfera.id_esf = rx.id_esf
where cilindro = ".$_POST['sel_cil']." and esfera = ".$_POST['sel_esf']." and id_lente =". $_POST['sel_lente'];
$idlente = mysql_query($query_lente, $conexxion) or die (mysql_error());


?>

<form action="<?php echo $editFormAction; ?>" method="post" name="form1" id="form1">
  <table align="center">
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Venta:</td>
      <td><input type="text" name="venta" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Compra:</td>
      <td><input type="text" name="compra" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Taller:</td>
      <td><input type="text" name="taller" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Regula_mas:</td>
      <td><input type="text" name="regula_mas" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Regula_menos:</td>
      <td><input type="text" name="regula_menos" value="" size="32" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">lente:</td>
      <td><?php echo "<select name='sel_lente'>";
while($row= mysql_fetch_array($lente)){?>
<option value=" <?php echo $row['id_lente'] ;?> " > <?php echo $row['lente']; ?> </option>
    <?php } ?> </select>
    <label for="id_lente"></label></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">cilindro:</td>
      <td><?php echo "<select name='sel_cil'>";
while($row= mysql_fetch_array($cilindro)){?>
<option value=" <?php echo $row['id_cil'] ;?> " > <?php echo $row['cilindro']; ?> </option>
    <?php } ?> </select>
    <label for="id_cil"></label></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">Esfera:</td>
      <td><?php echo "<select name='sel_esf'>";
while($row= mysql_fetch_array($esfera)){?>
<option value=" <?php echo $row['id_esf'] ;?> " > <?php echo $row['esfera']; ?> </option>
    <?php } ?> </select></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right">id_lente</td>
      <td><label for="id_lente3"></label>
      <input type="text" name="id_lente" id="id_lente3" /></td>
    </tr>
    <tr valign="baseline">
      <td nowrap="nowrap" align="right"> </td>
      <td><input type="submit" value="Insert record" /></td>
    </tr>
  </table>
  <input type="hidden" name="MM_insert" value="form1" />
</form>
<?php
mysql_free_result($esfera);

mysql_free_result($cilindro);

mysql_free_result($lente);
?>

and with this query

$query_item = "select id_item from item
inner join rx on rx.id_rx = item.id_rx
inner join cilindro on cilindro.id_cil = rx.id_cil
inner join esfera on esfera.id_esf = rx.id_esf
where cilindro = ".$_POST['sel_cil']." and esfera = ".$_POST['sel_esf']." and id_lente =". $_POST['sel_lente'];
$idlente = mysql_query($query_lente, $conexxion) or die (mysql_error());

I would obtain the id_item, but , how?, because the form it´s not procesed and I´m getting no variable values.

 

 

 

Link to comment
https://forums.phpfreaks.com/topic/293401-use-form-variables-before-sending-them/
Share on other sites
NotionCommotion Prolific Member

NotionCommotion

Posted
Posted

Not really sure what you are trying to do.

 

The browser/client has some data, and posts it to the server.

 

The server does what ever you tell it to do, and inserts data into the DB.

 

 

PS.  You know this is really bad, right?  If you don't know why, search for "SQL injection".

where cilindro = ".$_POST['sel_cil']." and esfera = ".$_POST['sel_esf']." and id_lente =". $_POST['sel_lente'];
  • Like 1
hansford Member

hansford

Posted
Posted

 

 

...to obtain an id_item users doesn´t know and I need to send to the DB

 

I understand you want an item id and you want to send it to the db.

Where does this id come from?

You have a lot of outdated code going on here.
You state the form isn't getting processed - why. Where's the error handling to alert you when values don't exist or something doesn't work as intended.
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {

Does any code after this get called?

gralfitox Newbie

gralfitox

Posted
  • Author
Posted

first of all , this is going to run on my own pc so security doesn´t matter at all.

 

what I´m trying to do is get the user selections to obtain an id_item that has to be sent to the db with the form . I fixed temporary it by sending the form to a page and there get the data, obtain the id_item and resend it all to the db via hidden fields.

 but I´m looking for an elegant solution

 

I know there´s a lot of outdated code, I´m coding from dreamweaver, because my knowledge is very limited.

hansford Member

hansford

Posted
Posted (edited)

what I´m trying to do is get the user selections to obtain an id_item that has to be sent to the db with the form

 

The selection in the options element should have the id_item as it's value.

<select name="whatever">
<option value="123">Girls</option>
<option value="456">Women</option>
<option value="789">Neither</option>
</select>

Then in your PHP code:

if (isset($_POST['whatever']))
{
   $item_id = $_POST['whatever'];
}

The html for the select doesn't have to be hard-coded with those values either.

<html>
<body>
<h1>Welcome to the girls gone lunatic, but we still love them, website!</h1>
<?php

// connect to your database and grab all of the item_id's
// call a function that creates the select element with those values
// or just do it the hard way and echo it out...
echo '<select name="whatever">';
echo '<option value="' . $row['item_id'] . '">Girls</option>';
// etc..
echo '</select>';
?>
</body>
</html>
Edited by hansford
wezhind Newbie

wezhind

Posted
Posted

Hi again,

 

Regards sql injection, the reason Dreamweaver includes the function GetSQLValueString earlier in your code is to try and alleviate some of those issues by performing some checking/filtering on the data.

 

An example of Its usage is (in case you don't know)  is per your original line -

 

where cilindro = ".$_POST['sel_cil']." and esfera = ".$_POST['sel_esf']." and id_lente =". $_POST['sel_lente'];

 

 

This would now be (using the cleaning function -you can use a flag of "int" or "text" etc):

 

where cilindro = " . GetSQLValueString($_POST['sel_cil'], "int") . " and esfera = ". GetSQLValueString($_POST['sel_esf'], "int") ." and id_lente =". GetSQLValueString($_POST['sel_lente'], "int");

 

 

I'll have to reread your posts to ascertain where you are with your main issue and get back to you if I think I can help.

hansford Member

hansford

Posted
Posted

 

 

where cilindro = ".$_POST['sel_cil']." and esfera = ".$_POST['sel_esf']." and id_lente =". $_POST['sel_lente'];

 

This is probably a WHERE clause in a query and the $_POST variables have been directly injected into the query.

Never do it - not even in the safety of your own local machine because it just fosters bad programming techniques, fellow programmers will yell at you, girls won't feel secure with you etc..

The PHP Manual is your friend - use it. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php

I'm sure DreamWeaver makes things easier, but forget "easy" until you first understand why you should be doing something in a certain way. Don't let the tool make you the tool. (don't allow the applications you use to speed development be smarter than you are)

gralfitox Newbie

gralfitox

Posted
  • Author
Posted

Let me say I am not english speaker , so sorry about my english.

 

Ill try once more to explain myself.

 

User fills form with venta, compra, taller, regula_mas,regula_menos, id_lente, id_cil and id_esf. With this data I need to obtain an id_item wich is needed in the db row to be inserted. This is why I need to use the form variables before sending them, to obtain the id_item and send it with the other data to the db.

 

I have found a temp solution wich is sending the form data to other page, there I have the variables and I get the id_item, and then I send them all to the db, but if possible I prefer a one step solution.

 

Hope I have explined better this time.

wezhind Newbie

wezhind

Posted
Posted

I'm quite confused as to what you are actually trying to do. I thought I had it, but you seem to adding other qualifiers.

 

If you are trying to get info from a page that you have not yet sent to the server to be processed, then you will probably need to use JavaScript to get the value of the element you are interested in.

 

If this is what you are requiring then perhaps look into Jquery and particularly the .val() functionality.

 

To then use that info, you'd probably then need to use AJAX calls to process the info without leaving the page.

 

Good luck.

hansford Member

hansford

Posted
Posted

 

 

That's exactly what i want. Use the variables ( user selections) to obtain an id from other table before sending the form and then send the user selection plus the obtained id to the db

 

I believe someone already mentioned that will need to use Ajax for this. However, when you created the user select element - you must have gotten the id for that item in the db - you won't need Ajax if you just create the select with the id as the value.

<select name="whatever">
<option value="db_id">whatever name</option>
</select>

Use php to dynamically create the select element in the form - that's the whole purpose of the language.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.