---- Eric Butera <[EMAIL PROTECTED]> wrote:
> On Jan 18, 2008 11:38 AM, Wolf <[EMAIL PROTECTED]> wrote:
> > Steve,
> >
> > This should work as some basic sudo code. You are running into a number of
> > issues with your usage of the foreach as it sounds like what you really
> > want to do is walk through one array and grab the corresponding value from
> > another.
> >
> > <?php
> > // First check to make sure you are getting both fields
> > if(isset($_POST['name']) && is_array($_POST['name']) &&
> > isset($_POST['order']) && is_array($_POST['order']))
> > {
> > // Now assign them to easier to play with variables
> > $names=$_POST['name'];
> > $orders=$_POST['orders'];
> > // This tests for the same number of items as names
> > if (count($names) == count($orders))
> > {
> > $i=0;
> > while($i<=count($names))
> > {
> > $update_data = "UPDATE sections SET `order` = '$orders[$i]' WHERE name =
> > '$names[$i]'";
> > $response = mysql_query( $update_data, $cnx );
> > if(mysql_error()) die ('database error<br>'.mysql_error());
> > }
> > }
> > }
> > ?>
> >
> > HTH,
> > Wolf
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
> >
> >
>
> Hi Wolf,
>
> Your code is missing data validation! Hopefully you don't do stuff
> like that either.
>
> function super_duper_escaper($value, $db) {
> if (!get_magic_quotes_gpc()) {
> $value = mysql_real_escape_string($value, $db);
> }
> return $value;
> }
>
> $_sql = "UPDATE sections SET `order` = %d WHERE name = '%s'";
> $sql = sprintf(
> $_sql,
> (int)$orders[$i],
> super_duper_escaper($names[$i], $cnx)
> );
>
> What we're doing here is making sure that the order is a number and
> that the name is a string that properly escapes out the quotes to make
> sure people can't break out of the context of data and into commands.
> Look up SQL injection for more information.
>
> Don't rely on magic quotes, etc as it is a server specific setting, is
> going away in php6, and does not take character sets into
> consideration. The mysql extension is just as bad as it wont allow
> you to update the character set context from the mysql server default.
> So use mysqli or pdo unless everything matches across the board.
Of course it was missing the data validation, I don't write a whole page/app
for anyone just out of the blue. I was expecting Steve to make sure he handled
the data validation on his side before implementing the code fully. As it is,
I would have used a function and array_walk to check the validness of each
field and assign it to a new array if it was valid, then use the new arrays to
actually be pushed into the mysql queries. :)
I also tend to put in a referrer checker to make sure the page is coming where
it should be coming from and depending on how nice I am either redirecting back
to my page and my form, or heading them off to other fun places (like ratemypoo
or something similar) :)
Wolf
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
