Jump to content

Recommended Posts

Trying to read through this query string to get a list of subjects (sub) and products (pro)

sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90

so i need

2 -73, 2-76, 2-79, 3-73, 3-74 etc.

What am i missing in this code.

        foreach($_POST as $key => $val) {
                $sub = substr($key, 3);
                $pro = substr($val, 3);

                // $links = "SELECT * FROM table WHERE sub='".$sub."' AND pro='".$pro."';";

        }   

 

Link to comment
https://forums.phpfreaks.com/topic/310694-php-read-through-post/
Share on other sites

First please use the code icon (<>) and select PHP for your code. Second, where is that string coming from? It looks like the page is using GET not POST so you should me using $_GET. Third, never, ever put posted data directly into a query string. Use prepared statements only.

4 hours ago, DFibres said:

What am i missing in this code

Without knowing what output you are expecting from that input, how can we say what's missing?

The inputs are dodgy too. Each sub2 will overwrite the previous one, leaving you with 2-92 and 3-90 only.

I agree with the answers given. However, I'm happy to provide a dubious 1990's-style PHP answer to your dubious question 😀

<?php
$dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']);
foreach	($dubious_query_string_values as $var => $val) {
$parts = explode('=',$val);
echo 'SELECT * FROM table WHERE sub="'.substr($parts[0],3).'" AND pro = "'.substr($parts[1],3).'";';
echo '<BR>'; 
}
?>

If your URL looks like this: www.example.com/dubious.html?sub2=pro73&sub2=pro76&sub2=pro79&sub2=pro90&sub2=pro92&sub3=pro73&sub3=pro74&sub3=pro87&sub3=pro90, the above code will give you:
SELECT * FROM table WHERE sub="2" AND pro = "73";
SELECT * FROM table WHERE sub="2" AND pro = "76";
SELECT * FROM table WHERE sub="2" AND pro = "79";
SELECT * FROM table WHERE sub="2" AND pro = "90";
SELECT * FROM table WHERE sub="2" AND pro = "92";
SELECT * FROM table WHERE sub="3" AND pro = "73";
SELECT * FROM table WHERE sub="3" AND pro = "74";
SELECT * FROM table WHERE sub="3" AND pro = "87";
SELECT * FROM table WHERE sub="3" AND pro = "90";

Again, this is PHP from the 80's before hacking got invented. Please heed gw1500se's and Barand's advice: never ever put raw input into mysql queries, etc.!

Edited by StevenOliver

Still terrible code but safer:
 

<?php
$dubious_query_string_values = explode('&',$_SERVER['QUERY_STRING']);
foreach ($dubious_query_string_values as $var => $val) {
$val = preg_replace('/[^\d=]/','',$val);
$parts = explode('=',$val);
echo 'SELECT * FROM table WHERE sub="'.$parts[0].'" AND pro = "'.$parts[1].'";';
echo '<BR>';
}
?>

 

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.