Re: PHP form Creates Blank DB entries - Mailing list pgsql-php
| From | Jeff |
|---|---|
| Subject | Re: PHP form Creates Blank DB entries |
| Date | |
| Msg-id | 20030630222259.GI1614@zoidtechnologies.com Whole thread Raw |
| In response to | Re: PHP form Creates Blank DB entries (Frank Bax <fbax@sympatico.ca>) |
| Responses |
Re: PHP form Creates Blank DB entries
|
| List | pgsql-php |
On Mon, Jun 30, 2003 at 01:23:17PM -0400, Frank Bax wrote: [..snipped..] > $name = $_POST[name]; > $address = $_POST[address]; > $tel = $_POST[tel]; > $email = $_POST[email]; [..snipped..] this will work OK, but is considered a bad idea, and php will throw a warning (as it should) that you are accessing a key in an associative array without properly quoting things. if you want to do it "properly", try this instead: $name = $_POST["name"]; $address = $_POST["address"]; $tel = $_POST["tel"]; $email = $_POST["email"]; the above will execute without warnings or errors. also, I would suggest running each of the variables through a function that strips out html tags (since you don't really care about allowing them in this case, right?).. you can do that with strip_tags.. see http://php.net/strip_tags there are some other things you should do with user input too, to protect your code and database from vulnerabilities. in eros, I implemented something called preparestring(), which, in addition to strip_tags, makes a call to htmlentities() and a couple other things, just to be *really* *extra* safe about things, and avoid bugs or problems down the road when someone does something rude with your form :) to simplify things, you might want to look into a good templating package.. I prefer smarty: http://smarty.php.net/ but there are other solutions that do similar things. this allows you to simpllify the php code quite a bit, and it is quite a bit easier to teach someone that knows HTML how to deal with a 'template system' vs explaining how to use 'print' or 'echo' statements to modify things. :) also, I found it handy to put all the functions that deal with a particular table into one php module, and then make calls into it via a GET request. for example: member.php might contain: -- begin member.php -- class member { function edit() { // I've snipped out the variable assignments from above.. you need to // make sure you assign something to $name and $address before trying to // use the template. $s = new Smarty; $s->assign("submitmode", "update"); $s->assign("name", $name); $s->assign("address", $address); $s->display("member.tmpl"); } function main() { $mode = $_REQUEST["mode"]; // $mode = preparestring($mode); switch ($mode) { case "edit": $this->edit(); break; default: print "unknown mode {$mode}"; break; } } } $m = new member; $m->main(); -- end member.php -- then, you make a 'member.tmpl' in the templates directory (see instructions for smarty) that looks something like this: -- begin member.tmpl -- <form method="POST" action="member.php"> <input type="hidden" name="mode" value="{$submitmode}"> <input type="text" name="name" value="{$name}"> </form> -- end member.tmpl -- of course I have left out the submit button and some other fields for simplicity, but you get the idea. note the use of the 'hidden' field called 'mode', which will be processed by the main() method in the member class instance. what will happen in my example is that when the user clicks 'submit', $mode will be equal to 'update', which you can detect by using a 'case' statement. that means you can have as many 'mode's as you want, and you will find that you use certain ones over and over and over again, so you can just cut and paste and then adjust to the specific needs of the table in question. for example, I usually have 'add', 'insert', 'edit' and 'update' modes and they all use the same template, just different values for 'submitmode'.. in the specific case of 'add', you don't fill in values for anything except submitmode, and leave the rest blank. from the template, you can access any variable that has been 'assigned' to the template object instance with assign(), and you quote things with curly braces just like php suggests you do, which makes it really clear what is going on without a lot of confusion. once you understand the technique, it is simplicity itself. when you want to have a link to 'add member' (aka "new user"), you do something like: http://localhost/member.php?mode=add if you want to present the edit form, use: http://localhost/member.php?mode=edit note that 'update' and 'insert' are not normally given to the user as choices, because they are used internally.. however, if you *want* to automate a form submission (via a cronjob or whatever) you can do so quite easily.. you just need to write something that will POST a form and as long as you fill everything in (and especially mode), you can do it without fuss, in any language you choose. regards, J -- || Jeff - http://zoidtechnologies.com/ || GNUPG Fingerprint: A607 0F19 7C75 1305 67E4 BDFF 26BD 606E 3517 2A42