FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » combobox
Show: Today's Messages :: Polls :: Message Navigator
Return to the default flat view Create a new topic Submit Reply
Re: combobox [message #177320 is a reply to message #177316] Fri, 09 March 2012 10:06 Go to previous message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma:
Senior Member
On 3/8/2012 3:21 PM, ecu_jon wrote:
> i got it to work. thanks for forcing me to look again at what was
> getting POST 'ed on page5. once i saw the values were not exactly what
> i though, i could figure it out. i made the drop-down part of the box
> a new variable, and added an option for creating a new(using the
> textbox). then on page5 did a if drop-down != first option, set
> variable to Client. Just below
> if(isset($_POST['Client'])) $Client = $_POST['Client']; so it would
> overwrite the Client variable.
> did some testing, if i choose something else in drop-down nothing in
> textbox, it does as expected.
> if i choose first value and write in text box it adds new, as
> expected.
> and if you do both pick from drop-down (not first value) and write in
> text it chooses the drop-down value to write to db.
>
> now if we could just get a real combo-box option somehow ...

Please reread Jerry's warning.
You said nothing about avoiding SQL-injection.
If the code stays the same, you have just opened a security hole.

SQL-injection primer:

======== WRONG ===========
$firstname = $_POST["firstname"];
$favcolor = $_POST["favcolor"];
$SQL = "INSERT INTO tblprefs (firstname,color) VALUES ";
$SQL .= "('"& $firstname &"','"& $favcolor &"');";
some_db_execute ($SQL);

No, if $_POST["firstname"] contains something nice like "Joe" (without
the ") and $favcolor contains "blue" you'll get the following SQL:

INSERT INTO tblprefs (firstname,color) VALUES ('Joe','blue');

Which is fine. So if you test with Joe and blue you won't notice any
problems.
Now to SQL injection:

Suppose a funny guy posts the following:
$_POST["firstname"] contains: Joe
and
$_POST["favcolor"] contains:
ha!'); DELETE FROM tblprefs; INSERT INTO tblprefs (firstname,color)
VALUES ('Hacked by','whitehat

Now you SQL becomes:
INSERT INTO tblprefs (firstname,color) VALUES ('Joe','ha!');
DELETE FROM tblprefs;
INSERT INTO tblprefs (firstname,color) VALUES ('Hacked by','whitehat');

You don't want that SQL to execute, do you?
And all

Solution: ESCAPE YOUR STRINGS!
All databases offer functions for this.

Regards,
Erwin Moller


--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
[Message index]
 
Read Message
Read Message
Read Message
Read Message
Read Message
Read Message
Previous Topic: which command to use
Next Topic: Parse error: syntax error, unexpected T_VARIABLE
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Thu Nov 28 18:52:30 GMT 2024

Total time taken to generate the page: 0.04481 seconds