#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    7
    Rep Power
    0

    Passing checkbox values from URL to form inputs


    Trying to draw multiple checkbox variables from URL and place them as checked on my form...maybe I'm tired ...it is past my bedtime...
    PHP Code:

    //url string - type[]=3&type[]=2&type[]=1

    //a query here, a query there, a query everywhere...
    $result mysql_query($sql) or die (mysql_error());

    $values '"'.implode('","'$_GET['type']).'"';
    //"3","2","1"

    $array = array($values);
    //array dump reads - Array ( [0] => "3","2","1" )


    while ($row mysql_fetch_array($result))
    {

    echo 
    "<input type=checkbox name='type[]' ";
     if(
    in_array($row[id], $array)) {
             echo 
    "value='$row[id]' checked";
          } else { echo 
    "value='$row[id]'"; }
       echo 
    ">$row[CategoryName]<br>";

  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    apart from the fact that you're using the age-old mysql_* functions and have no security whatsoever: What on earth are you doing with those type values?

    $_GET['type'] is a nice array of number strings. But instead of simply searching in this array, you take the elements, stuff them into a strange list-style string, put this string into an array and then search in that array. WTF? How could this possibly work? Why are doing it in the first place?

    Your $array is an array containing a single string composed of commas and digits:

    PHP Code:
    array(
        
    '3,2,1'    // I left out the double quotes for readability

    You cannot search this array for strings like "1" or "2", because the array doesn't have those elements. There's only one element: A strange list-style string with commas and digits.

    Yeah, I guess you were tired.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2013
    Posts
    7
    Rep Power
    0
    Jacques,

    Has anyone ever told you that you have an uncanny resemblence to the wizard (man behind the curtain) from the wizard of oz. I felt like this needed to be said.

    I had the GET variable in place before but must of had some otherscripting error in place.

    Thanks for the guidance
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Posts
    113
    Rep Power
    0
    Originally Posted by Jacques1
    Hi,

    apart from the fact that you're using the age-old mysql_* functions and have no security whatsoever:
    What do you mean by this? I use mysql_ all the time and never knew I was doing anything wrong. What do you suggest? And why is this method better than MySQL_?
  8. #5
  9. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by stevenatherton4
    I use mysql_ all the time and never knew I was doing anything wrong.
    I've often heard that, and it always surprises me.

    The old MySQL extension was superseded by two modern database extensions in 2004. That's almost a decade ago. In the PHP manual, there's a big red warning on every single mysql_* page telling you that the functions are officially deprecated and will be removed sooner or later.

    Yet a large part of the PHP users seems to live in a kind of bubble, stuck somewhere in the late 90s. I'm not blaming you. I just wonder why this is so common.

    The main problem of the old mysql_* functions is the lack of security features. Composing dynamic query strings from all kinds of input has turned out to be a terrible idea and lead to a long history of security vulnerabilities in PHP applications. Many people don't even know that they have to escape the input before they can use it in a query. Other programmers do know about escaping, but they do it wrong. And others forget it again and again.

    As a result, modern applications have more or less given up the escaping stuff. Instead, we "now" (since 2004) use prepared statements which are a much more secure way of passing values to queries.

    The old extension will still exist for a while, because the PHP developers are aware that there's a lot of legacy code around. But it's time to move on and (finally) enter the 21st century.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Posts
    113
    Rep Power
    0
    Originally Posted by Jacques1
    I've often heard that, and it always surprises me.

    The old MySQL extension was superseded by two modern database extensions in 2004. That's almost a decade ago. In the PHP manual, there's a big red warning on every single mysql_* page telling you that the functions are officially deprecated and will be removed sooner or later.

    Yet a large part of the PHP users seems to live in a kind of bubble, stuck somewhere in the late 90s. I'm not blaming you. I just wonder why this is so common.

    The main problem of the old mysql_* functions is the lack of security features. Composing dynamic query strings from all kinds of input has turned out to be a terrible idea and lead to a long history of security vulnerabilities in PHP applications. Many people don't even know that they have to escape the input before they can use it in a query. Other programmers do know about escaping, but they do it wrong. And others forget it again and again.

    As a result, modern applications have more or less given up the escaping stuff. Instead, we "now" (since 2004) use prepared statements which are a much more secure way of passing values to queries.

    The old extension will still exist for a while, because the PHP developers are aware that there's a lot of legacy code around. But it's time to move on and (finally) enter the 21st century.
    Thanks for the reply.

    I think the reason I still use it, or used to use it, is down to old PHP tutorials and a lack of a need to use the PHP manual for mysql_* functions.

    Anyway, I've done a little reading and it seems mysqli_* seems to be the way forward?

    I'll be changing my code from now on, which probably makes things a little easier, not having to worry so much about escaping variables all the time.

    Cheers
  12. #7
  13. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Please don't quote the whole post. It's right above your reply, so no need to repeat it.

    Originally Posted by stevenatherton4
    Anyway, I've done a little reading and it seems mysqli_* seems to be the way forward?
    That or PDO. See the link I gave you for a comparison.

    Personally, I recommend PDO. It can be used with many different database systems, not just MySQL. And it's more convenient.

    However, PDO has a security pitfall, so make sure you get the configuration right.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo