5 Replies - 3293 Views - Last Post: 06 February 2012 - 12:55 AM Rate Topic: -----

#1 PixelBit   User is offline

  • D.I.C Head

Reputation: 6
  • View blog
  • Posts: 233
  • Joined: 17-July 11

Php isn't getting the value of an html select box...

Posted 05 February 2012 - 03:38 AM

First I'd like to say to ignore the password method in this code, it's temporary :P

Ok so I have this form + php code which posts what you enter into a database, all the fields work except the select box where you select update/event/article/donate. The select box that you select 1 2 or 3 works fine, it's just this one select box, I really don't understand.

Anyhow to test out what I mean go here http://relent.dyndns....php?page=admin on the page you are sent to on submit it will say Entry successful and then say update/event/article/donate (or it should) and then 1 2 or 3. This is so you can quickly tell if it submitted to the right place. You can see that the 1/2/3 changes but not the update/event/article/donate. The password is 1234.

Here is my code:
admin.html
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
	<meta http-equiv="content-type" content="text/html; charset=iso-8859-1" />
	<meta name="author" content="Jamal Antonio" />

	<title>Administration Panel</title>
    <link href="admin.css" rel="stylesheet" type="text/css" media="screen" />
</head>
<div class="container">
    <div id="content">
    Note: Updates and Events require all feilds to be filled in, Articles require all but area and donate only needs content. Always fill in password.
        <form action="admin.php" method="post">
            <div id="top">
                Title: <input name="title" type="text" />
                Author Name: <input name="author" type="text" />
            </div>

            <textarea rows="20" cols="126" name="content">Content, you can use html and even embedded css and javascript!</textarea>
            <div id="bottom">
                <select name="secttype">
                    <option value="updates">updates</option>
                    <option value="events">events</option>
                    <option value="articles">articles</option>
                    <option value="donate">donate</option>
                </select>
                <select name="area">
                    <option value="1">1</option>
                    <option value="2">2</option>
                    <option value="3">3</option>
                </select>
                    Admin password: <input type="password" name="password" />       
                <input type="submit" />
            </div>
        </form>
    </div>
</div>
<body>



</body>
</html>


admin.php:
<?php

/**
 * @author Jamal Antonio
 * @copyright 2012
 */
 
    ini_set('display_errors', 1);
    ini_set('log_errors', 1);
    ini_set('error_log', dirname(__FILE__) . '/error_log.txt');
    error_reporting(E_ALL);
    include "config.php";

    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];
    
    date_default_timezone_set('GMT');
    $date = date('Y/d/m');

    mysql_connect($conf['service'], $conf['username'], $conf['password']);
    @mysql_select_db($conf['database']) or die( "Error connecting to database!");

    $query = "SELECT * FROM admin where id = '1'";
    $result = mysql_query($query) or trigger_error("SQL", E_USER_ERROR);
    $cpass = mysql_result($result, 0, "password"); 
    
    if ($password == $cpass) {

        if ($secttype = "updates"){
            $query = "INSERT INTO updates VALUES (null, '$title', '$date', '$content', '$author', '$area')";
        }
        else if ($secttype = "events"){
            $query = "INSERT INTO events VALUES (null, '$title', '$date', '$content', '$author', '$area')";
        }
        else if ($secttype = "articles"){
            $query = "INSERT INTO articles VALUES (null, '$title', '$date', '$content', '$author',)";
        }
        else if ($secttype = "donate"){
            $query = "INSERT INTO donate VALUES (null, '$content')";
        }

        $result= mysql_query($query);

        If ($result){
        echo "Entry successful $secttype $area";
        }
        else {
            echo"Didn't work!";
        }   
    }
    else {
        echo "Incorrect password";
    }
?>



Is This A Good Question/Topic? 0
  • +

Replies To: Php isn't getting the value of an html select box...

#2 e_i_pi   User is offline

  • = -1
  • member icon

Reputation: 879
  • View blog
  • Posts: 1,893
  • Joined: 30-January 09

Re: Php isn't getting the value of an html select box...

Posted 05 February 2012 - 04:11 AM

All of your comparitors are messed up. For example, you're doing this:
if ($secttype = "updates"){


...when you should be doing this...
if ($secttype == "updates"){


I can spot four instances where you have this mistake, lines 33, 36, 39, 42.
Was This Post Helpful? 1
  • +
  • -

#3 PixelBit   User is offline

  • D.I.C Head

Reputation: 6
  • View blog
  • Posts: 233
  • Joined: 17-July 11

Re: Php isn't getting the value of an html select box...

Posted 05 February 2012 - 04:13 AM

View Poste_i_pi, on 05 February 2012 - 04:11 AM, said:

All of your comparitors are messed up. For example, you're doing this:
if ($secttype = "updates"){


...when you should be doing this...
if ($secttype == "updates"){


I can spot four instances where you have this mistake, lines 33, 36, 39, 42.



Crap, thanks I'll try that now, this is what happens when I'm forced to code in VB.NET at college :/

EDIT: Worked, thanks.

This post has been edited by PixelBit: 05 February 2012 - 04:14 AM

Was This Post Helpful? 0
  • +
  • -

#4 CTphpnwb   User is offline

  • D.I.C Lover
  • member icon

Reputation: 3837
  • View blog
  • Posts: 13,997
  • Joined: 08-August 08

Re: Php isn't getting the value of an html select box...

Posted 05 February 2012 - 10:23 AM

This is just plain wrong:
    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];


First, it's a waste of time. All it does is copy data from one variable to another. There's no good reason to do that, especially considering that it sets you up for your worst mistake: putting user supplied data directly into a query. That's just begging to have your site hacked.

Learn to use prepared statements.
Was This Post Helpful? 0
  • +
  • -

#5 PixelBit   User is offline

  • D.I.C Head

Reputation: 6
  • View blog
  • Posts: 233
  • Joined: 17-July 11

Re: Php isn't getting the value of an html select box...

Posted 05 February 2012 - 11:19 PM

View PostCTphpnwb, on 05 February 2012 - 10:23 AM, said:

This is just plain wrong:
    $title = $_POST['title'];
    $author = $_POST['author'];
    $content = $_POST['content'];
    $area = $_POST['area'];
    $password = $_POST['password'];
    $secttype = $_POST['secttype'];


First, it's a waste of time. All it does is copy data from one variable to another. There's no good reason to do that, especially considering that it sets you up for your worst mistake: putting user supplied data directly into a query. That's just begging to have your site hacked.

Learn to use prepared statements.


I know how to use prepared statements, I did this because a.) I prefer typing $author than $_POST['author'] and b.) The website is in no need of protection because it's just a small community that use it, if anyone decides to inject and post something on the website its no problem anyway and I doubt anyone will do it anyway, it's just a website for a small minecraft server.

This post has been edited by PixelBit: 05 February 2012 - 11:20 PM

Was This Post Helpful? 0
  • +
  • -

#6 Dormilich   User is online

  • 痛覚残留
  • member icon

Reputation: 4278
  • View blog
  • Posts: 13,571
  • Joined: 08-June 10

Re: Php isn't getting the value of an html select box...

Posted 06 February 2012 - 12:55 AM

View PostPixelBit, on 06 February 2012 - 07:19 AM, said:

I know how to use prepared statements, I did this because a.) I prefer typing $author than $_POST['author']

being lazy doesn't make it right.


View PostPixelBit, on 06 February 2012 - 07:19 AM, said:

The website is in no need of protection because it's just a small community that use it, if anyone decides to inject and post something on the website its no problem anyway and I doubt anyone will do it anyway

so it is ok for a hacker to delete all your files (including the DB)? and even if you doubt someone will do that, once someone does, you have a problem. (there are a couple of "my site has been hacked" threads here and I doubt the users had large scale websites)
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1