Re: form - request question

nescio wrote:
You don't control posting to a script, it could contain everything.
Name your desired variables, loop through the $_POST/$_GET array,
and check how many "known" variables is contains. It's tempting to
think of shortcuts, but this isn't the place to cut corners.

so, is it better to use $_POST instead of $_REQUEST?
or do these problems also occur with $_POST?

I'd say so, although is doesn't make that much of a difference

it is a bit difficult to explain why this is important to me, but i
will try.

i am builing an application that uses the column names from a
database. people can choose some of these columns, then a form is
build that uses the column names as the names in the form.

after sending the form, these names are used to build the query.
this is possible because the names in the form are the same as the
column names in de database.
so i have to know which elements of the request can to be part of the
query and which can't (like 'submit' and 'phpsessid')

i can't give them the names you suggested because the have to
correspond with the column names in the database.


The problem here is when you use your form, you can sort of control what
comes back after submitting the form. People can post to your script without
using the form though, so you can't really trust what is posted. Also, if
you''d change the location or surrounding code of the script it could break.

Several solutions come to mind, for instance naming hidden inputs "field[]",
and store the fieldnames in there, but that still relies on the
post-variables. As you're already using a session, why not add an array with
the fields to use there?

You can then just:
foreach($_SESSION['fields'] as $fieldname){
//do stuff with $_POST[$fieldname]
}
And leave the rest of the $_POST variables alone?


Grtz,
--
Rik Wasmus


.

Relevant Pages

  • PHP+informix -922, -25582 errors
    ... User apache ... I have simple script i.php with simple query to database: ... Unable to connect to Informix Database ...
    (alt.php)
  • Re: i love php but php loves mysql and mysql hates me
    ... // This script adds a entry to the database. ... // Execute the query. ... // This script retrieves header and body text from the database. ...
    (php.general)
  • Re: [PHP] Newbie question, Which way is best?
    ... When the form calls the script it passes all the parameters that the script ... SELECT query, as is, back to the same script with a way to change just the ... As a relative newbie my self I think I understand what you are trying to do. ... If potental attackers have access to your field names they can much easier try and insert stuff into your database. ...
    (php.general)
  • Re: Query Help
    ... > objects in any database. ... that parcitular script is executed, I somehow tought that it shouln't put it ... Unless I misunderstand your tables and query, ... I have seen execution plans where the subquery gets ...
    (microsoft.public.sqlserver.programming)
  • Re: Automatic Scheduled Import
    ... query to import the data I'd write a script using the DAO library to ... create and execute the query without using Access itself; ... trouble of installing Access on the server). ... >I have a database on a shared server. ...
    (microsoft.public.access.externaldata)