Jump to content

WTF is wrong?

Kindot

By Kindot
in PHP Coding Help

 Share

Recommended Posts

Kindot Newbie

Kindot

Posted
Posted

Who tells me what's wrong takes a kiss

if( isset($_POST['anno']) ){
	echo "<select name='squadra'>";
					
		$squadraseltutte = "";
		if ($_POST['squadra'] == "tutte") $squadraseltutte = "selected";
					
		echo "<option value='tutte' ".$squadraseltutte.">Tutte</option>";
					
		$squadre=file('./statistiche/archivio/'.$_POST['anno'].'/squadre.txt');
		for ($num5=0; $num5<=19; $num5++){
			$squadrasel = "";
			if ($_POST['squadra'] == $squadre[$num5]) $squadrasel = "selected";
			echo "<option value=".$squadre[$num5]." ".$squadrasel.">".ucfirst(strtolower($squadre[$num5]))."</option>";
		};
					
	echo "</select>";
}
else echo "<select name='squadra'><option value='tutte' selected>Tutte</option></select>";

It should select the $squadre[$num5] chosen with the $_POST['squadra'] automatically but it selects always the first option anyway. If I choose "Tutte" it works, it selects "Tutte" automatically. What's wrong within the for cicle? Sorry for the bad english and thanks in advance!

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

The option value isn't quoted, so any space will screw up the form.

 

And the concept of security seems to be entirely foreign to you. You let the user choose an arbitrary file path and print the content straight on the screen, and you insert all input directly into your HTML markup. Do you not understand how dangerous this is?

Link to comment
Share on other sites
Kindot Newbie

Kindot

Posted
  • Author
Posted

Thanks for the reply, unfortunately I'm not an expert and it's my first website. It will be accessible only to a few people so I hope it will be good.

However sorry but I didn't understand what did you mean. The option value works because if I select an option the page shows me what i selected, just it doesn't select the option as "selected". Can you please explain to me what you wrote? Any example would be welcome.

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted (edited)

The value attributes of your options are unquoted, which means the value stops at the first space character, even if it's actually longer. Your strings from the file() call do contain trailing newline characters, so the submitted value no longer matches the real value. It's truncated.

 

Quote your attributes and call file() with the FILE_IGNORE_NEW_LINES flag.

 

 

 

It will be accessible only to a few people so I hope it will be good.

 

How do you know that it's only accessible to a few people?

 

In any case, hope isn't the right approach in programming. Learn the basics of security and make sure your code is actually safe.

Edited by Jacques1
Link to comment
Share on other sites
cyberRobot Prolific Member

cyberRobot

Posted
Posted

However sorry but I didn't understand what did you mean. The option value works because if I select an option the page shows me what i selected, just it doesn't select the option as "selected". Can you please explain to me what you wrote? Any example would be welcome.

 

This

echo "<option value=".$squadre[$num5]." "

Needs to be changed to something like this

echo "<option value='".$squadre[$num5]."' "

Of course, that doesn't address the security issues mentioned by Jacques1.

Link to comment
Share on other sites
Kindot Newbie

Kindot

Posted
  • Author
Posted

It's part of a bigger script, and as I said I am not an expert, I am just implementing something to that.

However, I just tried what you said and it works finally! I completely ignored the existence of that flag, and it was the key, I think because the file has at the end an empty line. Isn't so?
 

About quotes I wasn't able to traduce "quoted" in my language (in italian it becomes an unusual word, and google translate doesn't help), that's why I didn't understand, or you know it or you don't know it. But anyway it needed that flag too.

 

Thanks again! I think I will come back here to ask you something else :)

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

I completely ignored the existence of that flag, and it was the key, I think because the file has at the end an empty line. Isn't so?

 

The file() function by default always keeps the original newline character at the end of each line. So this has nothing to do with the particular file content. If you want to get rid of the newlines, you need the flag.

 

In the long run, you should abandon those very fragile and limited plaintext files. Either use a proper file format (JSON, YAML, XML, ...) or an actual database system (MySQL, PostgreSQL, ...).

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.