Jump to content

Simple checkboxes value question

dean7

By dean7
in PHP Coding Help

 Share

Recommended Posts

dean7 Advanced Member

dean7

Posted
Posted

Hey guys, I've got problem which seems it should be so simple to resolve but I just can't put it together . I'm needing to show all of the values of the Check Boxes clicked when I hit submit,

 

I have this:

echo ('<tr><td><input id="select_car" name="select_car[]" type="checkbox" value="'.$CarID.'"" onclick="CountCheck()" /><a href="?getin='.$CarID.'">'.$CarName.'</a> ('.$CarIDCol.')</td><td><a href="?repair='.$CarID.'">'.$CarDamage.'%</a></td><td><a OnClick="javascript: return confirm(\'Are you sure you want to sell?\');" href="?sell='.$CarID.'">£'.number_format($CarValue).'</a><input type="hidden" name="values[]" id="values[]" value="'.$CarValue.'"></td><td><a href="?stats='.$CarID.'">View Stats</a></td></tr>');

In my form:

<input name="sell_selected" type="submit" id="sell_selected" value="Sell Selected" class="button" onClick="JavaScript:return confirm('Are you sure you want to sell?');" />

if (!empty($_POST['sell_selected'])){
 
foreach ($_POST['values'] as $value){
 
echo $value;
}
}
 
With my code its displaying all the values of even the ones which haven't been checked? 
How can I make it so it only shows the values of the checked checkboxes?
 
Only needing that as once I can see them values I need to add them together to give the final figure of the extra money of all things sold
 
Thanks for any help
Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

Your form design doesn't work.

 

The select_car array from the checkboxes does contain only the checked car IDs, but the values arrray from the hidden fields (which you're currently iterating over) contains every possible value. Even worse, you have no idea which value belongs to which ID.

 

There are two options:

  • Add the values to the checkboxes themselves and get rid of the hidden fields: <input type="checkbox" name="car_values[insert the HTML-escaped ID here]" value="insert the HTML-escaped value here">. This gives you an associative which maps the IDs of the selected cars to their values.
  • Only transmit the IDs and look up the values again afterwards. Be aware that this can result in different values if there have been updates in between.

Note that your car values can both be manipulated and submitted on behalf of another user (at least I see nothing which would protect you against CSRF attacks). So unless this is one of those "school projects", you might want to reconsider your approach.

Link to comment
Share on other sites
dean7 Advanced Member

dean7

Posted
  • Author
Posted

So would this be how you mean for the form?

 

 

<input id="select_car" name="select_car['.$CarID.']" type="checkbox" value="'.$CarValue.'" onclick="CountCheck()" />

 

The for the PHP bit:

 

 

if (isset($_POST['sell_selected'])){
 
$PostValues = $_POST['select_car'];
 
foreach($PostValues as $value) {
 
$GetInfo = $db->prepare("SELECT * FROM garage WHERE id = :id");
$GetInfo->bindParam(":id", $value);
$GetInfo->execute();
$CarInformation = $GetInfo->fetchObject(); 
 
 
} 
}

When I try getting the information from the database it says: Notice: Trying to get property of non-object even thought the obj should be fine as I'm getting the ID from the checkbox?

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

So would this be how you mean for the form?

 

You forgot the HTML-escaping. Dynamic values which are inserted into an HTML context must be escaped. Don't just assume that they're safe.

 

 

 

When I try getting the information from the database it says: Notice: Trying to get property of non-object even thought the obj should be fine as I'm getting the ID from the checkbox?

 

I don't think you understand the structure of $_POST['select_car']. It's an associative array with the car ID as the key and the car value as the corresponding value:

ID => car value

Right now, you're trying to use the car value as the ID, which doesn't make sense. The ID is the key:

foreach ($_POST['select_car'] as $car_id => $car_value)
{

}

Also, don't forget about the CSRF vulnerability.

Link to comment
Share on other sites
dean7 Advanced Member

dean7

Posted
  • Author
Posted

You forgot the HTML-escaping. Dynamic values which are inserted into an HTML context must be escaped. Don't just assume that they're safe.

 

 

 

 

I don't think you understand the structure of $_POST['select_car']. It's an associative array with the car ID as the key and the car value as the corresponding value:

ID => car value

Right now, you're trying to use the car value as the ID, which doesn't make sense. The ID is the key:

foreach ($_POST['select_car'] as $car_id => $car_value)
{

}

Also, don't forget about the CSRF vulnerability.

Yes thank you , thats what I was aiming for as I wanted to check the value of the car is the same from in the database. As $car_value is holding each value of the selected cars how would I add all the selected car values up? I've read something about array_merge or could I just do sum($car_value)?

 

Thanks

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.