some help with sending data through form

paziowiec · kesäkuu 30, 2008, 07:01:38 AP

haiz

I wrote a little subsite with a form, form uses $_PHPSELF so after the form is submited I come back to same site and insert the data from form to mysql table though I figured that the php script triggers even without hitting 'submit' button. How can I control it so after I get values submited once and succesfully, when i refresh site I would not get to submit same values or a clear form?
And there's one more thing, is it possible that if let's say I have my table with rows with ID from 1 to 7 and I delete 4th row that all the rows automatically change ID numbers so there is no gap and I end up with rows 1-6 (where our current 4th row with ID 4 is an old 5th row etc)
This is the lolscript:

Koodi [Valitse]

<?php
require("forum/SSI.php");
mysql_select_db('mypreciousdatabase');

// finding maximum value on ID
$query = "SELECT MAX(ID) FROM Craft"; 
$result = mysql_query($query) or die(mysql_error());
while($row = mysql_fetch_array($result)){
$max=$row['MAX(ID)'];}

// inserting data from form
mysql_query("INSERT INTO Craft (Nick, Item, Fail) VALUES('$_POST[komu]', '$_POST[co]', '$_POST[wyszlo]' ) ") or die(mysql_error());  

// form
echo "
<table border='1'>
<tr> <th>Komu?</th> <th>Co?</th> <th>Wyszedl?</th> <th></th></tr>
<form name=\"input\" action='$_PHPSELF' method=\"post\">
<tr><td align=\"center\">
<input type=\"text\" name=\"komu\">
</td><td align=\"center\">
<input type=\"text\" name=\"co\">
</td><td align=\"center\">
<input type=\"checkbox\" name=\"wyszlo\" value=\"wyszlo\">
</td><td align=\"center\">
<input type=\"submit\" value=\"Dodaj\">
</form>
</table>
";
?>

Hope somebody could help

Cheers

edit:
Or if I cannot do this trick with row numbers etc, how could I display last, let's say, 25 records from a table (if there is less than 25 then as much as possible)?

青山素子 · kesäkuu 30, 2008, 11:24:07 AP

Lainaus käyttäjältä: paziowiec - kesäkuu 30, 2008, 07:01:38 AP
Or if I cannot do this trick with row numbers etc, how could I display last, let's say, 25 records from a table (if there is less than 25 then as much as possible)?

It would be quite a bit of work to renumber things like you want, especially if the column is auto_increment. You can use the limit command to pull a certain number of records. The syntax you probably want is something like:

Koodi [Valitse]


ORDER BY id DESC LIMIT 25

Which will return the results in reverse order (because limit works from the first found, not last) and will give you up to 25 results. If you need the order ascending, stick the returned data in an array and use php's array_reverse function to flip it the right way.

You also might be able to get MySQL to reverse the order by using sub-selects, but I haven't tried that method.

paziowiec · kesäkuu 30, 2008, 12:09:26 IP

Thx Motoko that worked flawlessly

Still I have the issue with that php function adding new records (empty if site is freshly opened or exact copies of the last entry if I put sth in form and submit).

青山素子 · kesäkuu 30, 2008, 12:22:51 IP

Lainaus käyttäjältä: paziowiec - kesäkuu 30, 2008, 12:09:26 IP
Still I have the issue with that php function adding new records (empty if site is freshly opened or exact copies of the last entry if I put sth in form and submit).

I'm not sure what you mean by that.

paziowiec · kesäkuu 30, 2008, 12:40:48 IP

http://09mm.pl/jez/craft.php
That's basically the script.
It adds data very well but try to refresh site. Even when you load the page first time there will be data added (blanks).

青山素子 · kesäkuu 30, 2008, 02:00:33 IP

It doesn't help when you can't see the source.

Check to see if anything was submitted. If there wasn't, then don't process an insert.

paziowiec · kesäkuu 30, 2008, 02:17:42 IP

That's the source.
It checks if the form is filled now and doesnt submit when I load the page for very first time but once I fill the form, hit submit and after succesfull sumbition, even when the form's fields got emptied, when I hit Refresh Page, it uploads the same data second time (and again and again when I keep refreshing).

Koodi [Valitse]

<?php
require("forum/SSI.php");
mysql_select_db('mypreciousdatabase');

$co=$_POST[co];
$komu=$_POST[komu];
if($co && $komu)
{
$data=date("d.m.Y G.i");
mysql_query("INSERT INTO Craft (Nick, Item, Fail, Date) VALUES('$_POST[komu]', '$_POST[co]', '$_POST[wyszlo]', '$data' ) ") or die(mysql_error()); 
}

$result = mysql_query("SELECT * FROM Craft ORDER BY ID DESC LIMIT 25") or die(mysql_error());
echo "<table border='0'>";
echo "<tr> <th>Data</th> <th>Komu</th> <th>Co</th> </tr>";
// keeps getting the next row until there are no more to get
while($row = mysql_fetch_array( $result )) {
	// Print out the contents of each row into a table
	echo "<tr><td>"; 
	echo $row['Date'];
	echo "</td><td>"; 
	echo $row['Nick'];
	echo "</td><td>"; 
	echo $row['Item'];
	echo "</td></tr>"; 
} 
echo "</table>";

echo "
<table border='2'>
<tr> <th>Komu?</th> <th>Co?</th> <th>Wyszedl?</th> <th></th></tr>
<form name=\"input\" action='$_PHPSELF' method=\"post\">
<tr><td align=\"center\">
<input type=\"text\" name=\"komu\">
</td><td align=\"center\">
<input type=\"text\" name=\"co\">
</td><td align=\"center\">
<input type=\"checkbox\" name=\"wyszlo\" value=\"wyszlo\">
</td><td align=\"center\">
<input type=\"submit\" value=\"Dodaj\">
</form>
</table>
";


?>

青山素子 · kesäkuu 30, 2008, 02:22:04 IP

Lainaus käyttäjältä: paziowiec - kesäkuu 30, 2008, 02:17:42 IP
even when the form's fields got emptied, when I hit Refresh Page, it uploads the same data second time (and again and again when I keep refreshing).

That's because you are refreshing the form submission so it sends the data again. There isn't really a way to fix this. The only suggestion is to do a redirect to the page after the submission goes through. This will make the page load clean from any submissions and a refresh won't do anything.

Also, as a warning, your code is asking for an injection attack because you put the values in directly without any escaping or checking they are valid. You should really read up on secure coding before you get hacked because of that.

paziowiec · kesäkuu 30, 2008, 02:36:06 IP

Lainaus käyttäjältä: Motoko-chan - kesäkuu 30, 2008, 02:22:04 IPAlso, as a warning, your code is asking for an injection attack because you put the values in directly without any escaping or checking they are valid. You should really read up on secure coding before you get hacked because of that.

Well the form will be only visible to an administrator (i removed the if ($context['user']['is_admin']) for the testing purposes) but yeah, im kinda new to all this programming and I actually could use some security matters reading if you say my script is so unprotected.
And about that refreshing, I guess I will have to be just careful with not hitting F5

thx for help Motoko, I appreciate

JayBachatero · kesäkuu 30, 2008, 05:06:50 IP

You need to check the data before is submitted. Not doing so can lead to holes and getting your script exploited. I made some quick changes that should work for the most part but I suggest that you read on form submission and SQL injections.

Koodi [Valitse]


<?php
require("forum/SSI.php");

$my_db_name = 'mypreciousdatabase';
mysql_select_db($my_db_name);

// Lets check to see if any data was submitted.
if (isset($_POST['co'], $_POST['komu']))
{
	// Clean things up.
	$_POST['co'] = htmlspecialchars($_POST['co'], ENT_QUOTES);
	$_POST['komu'] = htmlspecialchars($_POST['komu'], ENT_QUOTES);
	$_POST['wyszlo'] = isset($_POST['wyszlo']) ? htmlspecialchars($_POST['wyszlo'], ENT_QUOTES) : ''; // Only two possible states with a check box.  It's either on or off.
	$date = date('d.m.Y G.i');

	if (trim($_POST['co']) != '' && trim($_POST['komu']) != '')
		db_query("
			INSERT INTO `{$my_db_name}`.Craft
				(Nick, Item, Fail, Date)
			VALUES ('$_POST[komu]', '$_POST[co]', '$_POST[wyszlo]', '$date')", __FILE__, __LINE__);
	else
		echo '<h2>Data was not inserted.';
}

$result = mysql_query("SELECT * FROM Craft ORDER BY ID DESC LIMIT 25") or die(mysql_error());
echo "<table border='0'>";
echo "<tr> <th>Data</th> <th>Komu</th> <th>Co</th> </tr>";
// keeps getting the next row until there are no more to get
while($row = mysql_fetch_array( $result )) {
   // Print out the contents of each row into a table
   echo "<tr><td>"; 
   echo $row['Date'];
   echo "</td><td>"; 
   echo $row['Nick'];
   echo "</td><td>"; 
   echo $row['Item'];
   echo "</td></tr>"; 
} 
echo "</table>";

echo '
<form name="input" action="' . $_PHPSELF . '" method="post">
<table border="2">
	<tr>
		<th>Komu?</th>
		<th>Co?</th>
		<th>Wyszedl?</th>
		<th></th>
	</tr>
	<tr>
		<td align="center"><input type="text" name="komu"></td>
		<td align="center"><input type="text" name="co"></td>
		<td align="center"><input type="checkbox" name="wyszlo" value="wyszlo"></td>
		<td align="center"><input type="submit" value="Dodaj"></td>
	</tr>
</table>
</form>';

?>

If I get some time later on I'll explain more about the changes that I made.

http://www.phpfreaks.com/tutorial/php-security
http://www.rbredlau.com/drupal/node/10
http://www.rbredlau.com/drupal/node/12

Simple Machines Community Forum

Uutiset:

some help with sending data through form

paziowiec

青山素子

paziowiec

青山素子

paziowiec

青山素子

paziowiec

青山素子

paziowiec

JayBachatero