|
PHP - Should I Escape Values From Radio Input Fields?
Hey Guys. I have a quick question. Should i "prep" input values coming from a radio or checkbox input field? Can an SQL injection occur through those 2 input fields, or is it only text fields?
Similar TutorialsHi I have a form that is to input data from input fields to a table. The form is as follows: $query = $DB->query("SELECT country_code, country_id, IF(country_code = '".$country_code."', '', '') AS sel FROM exp_sme_countries WHERE site_id='".$this->settings['site_id']."' ORDER BY country_name ASC"); foreach ($query->result as $row) { $options .= '<label>' . 'Phrase for ' . $this->settings['countries'][$row['country_code']] . '</label>' . '<br />'; $options .= '<input style="width: 100%; height: 5%;" id="country_data" type="text" name="country_id[]" />' . '<br /><br />'; $options .= '<input type="hidden" name="country_data[' . $row['country_id'] . ']" value="'.$row['country_id'].'" />'; } This outputs: Code: [Select] <input style="width: 100%; height: 5%;" id="country_data" type="text" name="country_id[]" /> <input type="hidden" name="country_data[68]" value="68" /> <input style="width: 100%; height: 5%;" id="country_data" type="text" name="country_id[]" /> <input type="hidden" name="country_data[28]" value="28" /> What I need to do, is get the values from the input fields and then match them with the correct hidden field value So if in the first input field, I typed in 'Test data' and the second input, i typed 'This is great' On the POST, I need to find the the value ('Test data') and also the value from the hidden field. So something like: Quote The text you entered is: Test data with hidden value of 68 The text you entered is: This is great with hidden value of 28 I'd rather not use $_GET as this is a form that inserts data into a database. Could someone point my in the right direction or provide an example? Hello, I was wondering if I need to escape all get values. I often use a $_GET variable as in mypage.php?id=variable to selecting records to view etc. I usually convert this to a variable to be used in a WHERE statement. Code: [Select] IF ($_GET['id']){ $id=$_GET['id']; } But what if someone tried to view all records Quote http://www.mypage.com/page.php?id=0';SELECT%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content page data being displayed somehow. Or better yet, if visiting Quote http://www.mypage.com/page.php?id=0';DELETE%20*%20FROM%20CONTENT;'SELECT%20*%20FROM%20CONTENT%20WHERE%20ID='0 resulted in all content being deleted. Is that even possible in the in the context of a MySQL WHERE statement? Seems like the MySQL statement wouldn't be structured correctly and wouldn't work. I use mysqli_real_escape_string" on posted content but should I also escape all GET input? Hi, when i submit the form using the following text... -1 OR 1=1) AND 1=(SELECT IF((IFNULL(ASCII(SUBSTRING((SELECT @@VERSION),1,1)),0)>25),1,2)) that was sent by the hacker in my website i am trying to escape the above and filter it ... am using the mysql_Real_escape_string and trim function.. but nothing escaped... can u give me a suggestion , pls help me Hey guys,
Thank you in advance... here is my situation, I have a form with three (3) fields in it, the 'student name' is unlimited textfield with an "add more" button to it and I have two select fields ('number of shirts' and 'trophies') that depend on the number of entries for 'student name'...
I want to create the select fields based on this math, for as many 'student name' entries:
1- i want to have the select form for 'number of shirts' to be 0 up to that number... so if there are 6 'student name' entries, the select options will be 0,1,3,4,5,6,7
2- I want to have the select form for 'trophies' to be 5 'student name' entries to 1 'trophies', for example if there are 6 'student name' entries, the select options will be 0,1... if there are 13 entries, options will be 0,1,2... So if there are less than 5 'student name' entries, the select field will not show (hidden)
of course if there are no 'student name' entries, these two fields won't show up (hidden)
let me know if that make sense and ANY help or directions will be GREATLY APPRECIATED.
Thanks guys!
Dear All Members here is my table data.. (4 Columns/1row in mysql table)
id order_no order_date miles How to split(miles) single column into (state, miles) two columns and output like following 5 columns /4rows in mysql using php code.
(5 Columns in mysql table) id order_no order_date state miles 310 001 02-15-2020 MI 108.53 310 001 02-15-2020 Oh 194.57 310 001 02-15-2020 PA 182.22
310 001 02-15-2020 WA 238.57 ------------------my php code -----------
<?php
if(isset($_POST["add"]))
$miles = explode("\r\n", $_POST["miles"]);
$query = $dbh->prepare($sql);
$lastInsertId = $dbh->lastInsertId(); if($query->execute()) {
$sql = "update tis_invoice set flag='1' where order_no=:order_no"; $query->execute();
} ----------------- my form code ------------------
<?php -- Can any one help how to correct my code..present nothing inserted on table
Thank You Edited February 8, 2020 by karthicbabuI have a calendar select date function for my form that returns the date in the calendar format for USA: 02/16/2012. I need to have this appear as is for the form and in the db for the 'record_date' column, but I need to format this date in mysql DATE format (2012-02-16) and submit it at the same time with another column name 'new_date' in the database in a hidden input field. Is there a way to do this possibly with a temporary table or something? Any ideas would be welcome. Doug I am echoing out 2 radio input fields in a foreach statement. I would like to have the first option checked in all the radio input fields that gets echoed out.
But for some reason it marks the radio input field "checked" all the way in the bottom. (The last one)
How can I make it so that every input field that gets echoed out will be marked checked?
Below is my code. Thank you for your help
foreach ($menu_cat_options as $menu_cat_option){
<input type="radio" checked="checked" name="display_type" value="radio" >Radio
<br>
<input type="radio" name="display_type" value="checkbox">Check Box
}
I have 2 fields, one for Mother's mobile, the other for Father's mobile. I want to ensure that at least one of the 2 fields contains a number. This is what I have: Code: [Select] <?php if(!isset($_POST['guardian1_mobile']) && !isset($_POST['guardian2_mobile'])) { // no number entered in either field $errors[] = 'You must enter a mobile number in at least one of the Guardian1 or Guardian2 Mobile fields.'; } else { // if Mother mobile if(!is_numeric($_POST['guardian1_mobile']) || strlen(trim($_POST['guardian1_mobile'])) != 7) { // number must be numeric and exactly 7 digits $errors[] = '<strong>Guardian1 mobile</strong>: please enter a 7-digit number without spaces or dashes.'; } else { $_SESSION['guardian1_mobile'] = $_POST['guardian1_mobile']; } // if Father mobile if(!is_numeric($_POST['guardian2_mobile']) || strlen($_POST['guardian2_mobile']) != 7) { $errors[] = '<strong>Guardian2 mobile</strong>: please enter a 7-digit number without spaces or dashes.'; } else { $_SESSION['guardian2_mobile'] = $_POST['guardian2_mobile']; } } However, when I leave both fields blank, errors for the 'else' part of the condition are returned ('Please enter a 7-digit number...'). But it should never get as far as the 'else'.... Can anyone tell me what's wrong with my logic in the first line?... Thanks in advance. I have a website with a variable number of inputs in various categories. I want to allow the user to add rows to the table with the input lines in every category. The table looks like this:
<tr><th>Working Capital Changes</th></tr><tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="Increase (decrease) in working capital" size="60"></td>
<td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>
<tr><td><input type="hidden" name="category_code[]" value="WORK"><input type="text" name="description[]" value="" size="60"></td>
<td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>
<tr><th>Depreciation and Amortization</th></tr><tr><td><input type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="Depreciation and Amortization (for taxes)" size="60"></td>
<td><input type="text" name="amount[1][]" value="" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>
<tr><td><input type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="" size="60"></td><td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr>
I tried adding the following near the top of the page:
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<script type="text/javascript">
var count = 0;
$(function(){
alert ('wow');
$('tr#add_field').click(function(){
alert ('whee');
count += 1;
$('#container').append('<table><tr><td><input id="field_' + count + 'type="hidden" name="category_code[]" value="DEPR"><input type="text" name="description[]" value="" size="60"></td><td><input type="text" name="amount[1][]" onblur="this.value = formatNumber2Comma(this.value);" ></td></tr></table>' );
});
});
I get the wow alert on page load and whee when I click the link:
<tr id="add_field"><th><a href="#">Click to add another line</a></th></tr>that I added to the bottom of the table before the </table> but I do not get an additional line I have tried moving the add_field line outside of the table and changing the <tr></tr> to a <p></p> but that does not help. Hello, i need to validate 200 input fields if they are not empty, i have the following code where i'm stuck and i'm missing something any help is appreciated Code: [Select] if($_SERVER['REQUEST_METHOD'] == 'POST') { //print_r($_POST); foreach ($_POST as $value) { if (empty($value)){ echo 'empty'; } else { echo 'notempty'; } } } can someone tell me why this won't work? I just want to key in the amtpaid and have fields inserted. I get no errors but the only field inserted is the datepaid . <html><head> <script> function $_(IDS) { return document.getElementById(IDS); } function calculate_paid() { var amtpaid = parseInt($_("amtpaid").value); var rentdue = parseInt($_("rentdue").value); var prevbal = parseInt($_("prevbal").value); var secdep = parseInt($_("secdep").value); var latechg = parseInt($_("latechg").value); var damage = parseInt($_("damage").value); var courtcost = parseInt($_("courtcost").value); var nsf = parseInt($_("nsf").value); var hudpay = parseInt($_("hudpay").value); var late = ($_("late").value); var paidsum = parseInt($_("paidsum").value); var dateNow = new Date(); var dayNow = dateNow.getDate(); var datePaid = (dateNow.getMonth()+1)+"/"+dateNow.getDate()+"/"+dateNow.getFullYear(); $_('datePaid').value = datePaid; if(dayNow > 5) { late = "L"; prevbal = prevbal + 10; } paidsum = paidsum + amtpaid var tentpay = amtpaid - hudpay; var totOwed = rentdue + prevbal - hudpay; var left = totOwed - amtpaid; if (amtpaid <= totOwed) { prevbal = left; } left = amtpaid - totOwed; if (left <= secdep) { secdep = secdep - left; } left = left - secdep; if (left <= damage) { damage = damage - left; } left = left - damage; if (left <= latechg) { latechg = latechg - left; } left = left - latechg; if (left <= courtcost) { courtcost = courtcost - left; } left = left - courtcost; if (left <= nsf) { nsf = nsf - left; } prevbal = left - nsf; } </script> </head><body> <?php mysql_connect(localhost,root,""); mysql_select_db(test) or die( "Unable to select database"); if(!empty($_POST["submit"])) { $apt = $_POST['apt']; $query="SELECT * FROM testdata Where apt='$apt'"; $result=mysql_query($query); if(mysql_num_rows($result)) { echo "<form action='#' method='post'><b>Rent Payment :<br /><br /> <table cellspacing=0 cellpadding=0 border=1> <tr> <th>Name</th> <th>Apt</th> <th>Paid</th> <th>Due</th> <th>Prev Bal</th> <th>Sec Dep</th> <th>Late Chg</th> <th>Dmg</th> <th>Court Cost</th> <th>NSF</th> <th>Tent Pay</th> <th>Hud Pay</th> <th>Date Paid</th> <th>Late</th> <th>Comments</th> <th>Paidsum</th> </tr>"; while($row = mysql_fetch_assoc($result)) { echo "<tr> <td><input type='text' size=25 name='name' value='" . $row['name'] . "'></td> <td><input type='text' size=2 name='apt' value='" . $row['apt'] . "' ></td> <td><input type='text' size=4 id='amtpaid' name='amtpaid' value='" . $row['amtpaid'] ."' onBlur='calculate_paid(this)'></td> <td><input type='text' size=4 id='rentdue' name='rentdue' value='" . $row['rentdue'] . "'></td> <td><input type='text' size=4 id='prevbal' name='prevbal' value='" . $row['prevbal'] ."'></td> <td><input type='text' size=4 id='secdep' name='secdep' value='" . $row['secdep'] ."'></td> <td><input type='text' size=4 id='latechg' name='latechg' value='" . $row['latechg'] ."'></td> <td><input type='text' size=4 id='damage' name='damage' value='" . $row['damage'] ."'></td> <td><input type='text' size=4 id='courtcost' name='courtcost' value='" . $row['courtcost'] ."'></td> <td><input type='text' size=4 id='nsf' name='nsf' value='" . $row['nsf'] ."'></td> <td><input type='text' size=4 id='tentpay' name='tentpay' value='" . $row['tentpay'] . "'></td> <td><input type='text' size=4 id='hudpay' name='hudpay' value='" . $row['hudpay'] ."'></td> <td><input type='text' size=10 id='datepaid' name='datepaid' value='" . $row['datepaid'] . "'></td> <td><input type='text' size=1 id='late' name='late' value='" . $row['late'] . "'></td> <td><input type='text' size=25 name='comments' value='" . $row['comments'] . "'></td> <td><input type='text' size=4 id='paidsum' name='paidsum' value='" . $row['paidsum'] . "'></td> </tr>"; } echo "</table> <input type='submit' name='update' value='Make Payment' /> </form>"; } else{echo "No listing for apartment $apt.<br />Please select another.<br />";} } if(!empty($_POST["update"])) { $sql = "UPDATE testdata SET name = '" . mysql_real_escape_string($_POST['name']) . "', amtpaid = '" . mysql_real_escape_string($_POST['amtpaid']) . "', rentdue = '" . mysql_real_escape_string($_POST['rentdue']) . "', prevbal = '" . mysql_real_escape_string($_POST['prevbal']) . "', secdep = '" . mysql_real_escape_string($_POST['secdep']) . "', latechg = '" . mysql_real_escape_string($_POST['latechg']) . "', nsf = '" . mysql_real_escape_string($_POST['nsf']) . "', damage = '" . mysql_real_escape_string($_POST['damage']) . "', courtcost = '" . mysql_real_escape_string($_POST['costcost']) . "', tentpay = '" . mysql_real_escape_string($_POST['tentpay']) . "', hudpay = '" . mysql_real_escape_string($_POST['hudpay']) . "', datepaid = '" . mysql_real_escape_string($_POST['datepaid']) . "', late = '" . mysql_real_escape_string($_POST['late']) . "', comments = '" . mysql_real_escape_string($_POST['comments']) . "', paidsum = '" . mysql_real_escape_string($_POST['paidsum']) . "' WHERE apt='".$_POST["apt"]."'"; mysql_query($sql) or die("Update query failed."); echo "Record for apartment ".$_POST["apt"]." has been updated"; } ?><form method="post" action="#"> <br /> <input type="text" name="apt"/> <p> <input type="submit" name="submit" value="select apartment"/> </form> </body></html> I have an email form that is sending to an email address. There are five fields where the person sending can input their Name, Address, City, State, and Zip. Everything is working, except I want the input from these fields to be the the headers in the PHP email. For instance it submits and send the letter, but I want the senders Name, Address, City, State, and Zip to be posted after the "Sincerely" in the letter sent. Here is what the input boxes of the form looks like: Code: [Select] <p>Sincerely,<br /> <label for="from">Name:</label> <input type="text" name="from" id="name" value="<?php echo $_POST['from'];?>"/><br /> <label for="street">Street:</label> <input type="text" name="street" id="street" value="<?php echo $_POST['street'];?>"/><br /> <label for="city">City:</label> <input type="text" name="city" id="city" value="<?php echo $_POST['city'];?>"/><br /> <label for="zip">Zip:</label> <input type="text" name="zip" id="zip" value="<?php echo $_POST['zip'];?>"/><br /> <label for="email">E-mail:</label> <input type="text" name="email" id="email" value="<?php echo $_POST['email'];?>"/></p> <input type="submit" class="button" value="Submit" /> How do I go about posting the PHP headers in the email upon submission? Hello people, thank you to everyone that has helped me on this forum. You have been terrific. I am submitting a form to a database and am having a small problem with the validation scripts. Basically if the user doesn't put something into one of the fields they get an error message. However, I am keeping the information already submitted in the input box with the following code Code: [Select] <input type='text' name='username' size = '40' maxlength='30' value = '<?php echo $username; ?>'> This is so that the user doesn't have to input the same data again if he forgot one box. How do I do the same for "drop down" boxes? Here is the code from the form for the "ppr" (aviation terms 'Prior Permission Required') Code: [Select] <select name = "ppr"> <option value = "Yes">Yes </option> <option value="No">No </option> </select> The problem I have is that there are quite a number of these drop down boxes on the form I have created. And it always goes back to the first "option value" when there is an error. I do have a variable for $ppr, please could someone tell me how to incorporate it so that the user doesn't have to select the correct option value all over again. Hope my explanation is clear. Thanks in advance. I have a form that contains radio buttons and when it is submitted the content of the form are added to a database. I was wondering how you get the values of radio boxes when submitting the form. I have the following radio buttons and when submitting I use "$_POST['article_type']" but this doesn't seem to work. Thanks for any help. <label>PDF Article</label><input name="article_type" value="pdf" type="radio" /> <label>Video Webcast</label><input name="article_type" value="webcast" type="radio" /> <label>Podcast</label><input name="article_type" value="podcast" type="radio" /> Hi all, I'm working on this site which I'll soon ask the guys in the testing forum to have a peek at. It's essentially an online community that was a uni project that has spiraled and grown exponetially. I've spent many many hours in front of books and tutorals etc to put it together and as far as scripting goes, it seems to be fine. The problem i'm having...The tut's that I read / watched were using eregi_replace to protect text fields and this is now unsuported. I want my site to be as secure as it can be, within reason. I've tried using preg_replace instead and have searched for the syntax but i keep getting strang results. I'm working on the "bio" field at the moment and then when that works I can move on and a-ply the same idea to the other fields. This si what I have and what I've changed. if ($_POST['parse_var'] == "bio"){ $bio_body = $_POST['bio_body']; //$bio_body = str_replace("'", "'", $bio_body); (WAS TESTING THIS BUT NO JOY) //$bio_body = str_replace("`", "'", $bio_body); $bio_body = mysql_real_escape_string($bio_body); $bio_body = nl2br(htmlspecialchars($bio_body)); $bio = $_POST['bio']; $bio = eregi_replace("'", "'", $bio); (This works but is not as secure) $bio = eregi_replace("`", "'", $bio); $bio = mysql_real_escape_string($bio); $bio = nl2br(htmlspecialchars($_POST['bio'])); $sqlUpdate = mysql_query("UPDATE members SET bio='$bio' WHERE id='$id'"); and so on....} When I change it to str_replace if I type in don't the whole word is deleted. when I type in preg I get an error. Can someone please give me the correct code / syntax for getting the result I want. I just want to make sure that every single field that has a user input is protected against any malicious attacks. Thanks. i have an rsvp page where the table is populated by guests according to event selected in the drop down list. the rsvp table has 2 columns: guest names and status. status(radio button) is divided into 3: unconfirmed(default status), attending and not attending. user has to choose either one. but i am having trouble saving the status. tia for any help!
this is the saving code:
<?php
if(isset($_SESSION['sess_user_id']))
{
if(isset($_POST['save-rsvp']))
{
require "connection.php";
$name = $_POST['name'];
$radio = $_POST['rsvp'];
$session = $_SESSION['sess_user_id'];
$rsvp = $dbh->prepare("UPDATE guest SET status = ? WHERE guser_id = ? AND guest_name = ?");
$rad = implode("','", $radio);
for($i = 0; $i < count($_POST['name']); $i++)
{
if(trim($_POST['name'][$i]) !== '')// validate this form
{
$rsvp->bindParam(1, $rad, PDO::PARAM_INT);
$rsvp->bindParam(2, $session, PDO::PARAM_INT);
$rsvp->bindParam(3, $name[$i], PDO::PARAM_STR);
$rsvp->execute();
}
}
}
}
?>
which when save doesn't save according to status selected. for example
5 names: noreen, pete, marzuki, nora, mishal
noreen unconfirmed
pete attending
marzuki attending
nora attending
mishal not attending
micah not attending
when saved, all is saved as unconfirmed.
noreen not attending
pete attending
marzuki not attending
nora attending
mishal not attending
micah attending
when saved, all is saved as not attending.
noreen attending
pete not attending
marzuki attending
nora not attending
mishal attending
micah not attending
when saved, all is saved as attending.
it seems to save according to first choice.
I am having some difficulty with accessing radio button values with PHP code. Please see the attached file
Attached Files
x.txt 530bytes
11 downloads I would like to split the field specific location on a page into two fields. ( This is how it looks now: http://qwikad.com/?view=post&cityid=269&lang=en&catid=3&subcatid=27&shortcutregion= ) I want keep the same MySQL table for that field but make it possible for visitors to enter 2 separate texts. This is how the code looks right now: <input name="area" type="text" size="40" class="input" maxlength="50" value="<?php echo $data['area']; ?>"> I am not strong in PHP programming at all, so I tried to copy and paste that field twice, but it only posts one entry out of the two. Can this be done? |
|||||||