Re: [newbie] Keeping it all in one page?

Gilles Ganault wrote:
On Tue, 29 Jan 2008 20:53:29 -0500, Jerry Stuckle
<jstucklex@xxxxxxxxxxxxx> wrote:
And adding a checkbox isn't hard at all. But don't just use
the primary key id in the checkbox unless you have some other way
to protect your page from hackers.

The definitive wrong way to do things:
============
<?php

switch ($status) {
case "delete":
foreach ($item as $bit) {
$query = "DELETE FROM " . $table . " WHERE id=" . $bit; $result = mysql_query($query) or die("Query failed: " .
mysql_error()); }
break;

default:
echo "<form method=post>";
echo "<input type=checkbox name=item[] value=1>" echo "<input type=checkbox name=item[] value=2>" echo "<input type=hidden name=status value=delete>";
echo "<input type=submit value=Delete>";
echo "</form>";

}
?>
============

BTW, is there some book like "The 50 pitfalls of writing web apps in
PHP" that would take real-life newbie errors like the above, explain
why they're wrong, and the safe way to rewrite them?

Thanks.


Well, let's see. First of all, you should never use "or die()" in production code. It's fine for testing, but you need a graceful recovery in production. You do not want your page to stop in the middle of loading with "Query failed" or a message from MySQL in the window!

You're just deleting rows, without validating the user has permission to delete the row. This would be fine for an admin interface, where access is restricted and the admin person can delete any row. However, it is not good for a public interface.

And always validate any data from your user. For instance, what would happen if I submitted a form to your page with:

<input type=checkbox name=item[] value="1 OR 2=2">

Your query would end up as:

DELETE FROM mytable WHERE id=1 OR 2=2

And guess what would be deleted? :-)

Not sure what else they're talking about.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@xxxxxxxxxxxxx
==================

.

Relevant Pages

  • RE: [PHP] Which PHP-Editor to use?
    ... [PHP] Which PHP-Editor to use? ... I have worked now for several years happily with homesite 4.5, ... it looks like I have to switch to another system as homesite will not ... to God, as people who have been raised from death to life. ...
    (php.general)
  • Re: DB classes in PHP 4: include file hell
    ... Upgrade your hosting. ... all the data access code for all the related tables. ... PHP 5 has class autoloading. ... The better solution is to switch to a decent host that gives you better ...
    (comp.lang.php)
  • Re: Switch isset and $_get
    ... several expressions here that could be true, ... that case is closed by 'break;', it will then terminate the switch, if the case is closed by 'continue;' it will continue to evaluate the other options too. ... I would have expected it to execute both in the order it came across them, but then again, thinking it over, the default in php by definition should be the last case, so it only executing the last one shouldn't surprise me. ...
    (comp.lang.php)
  • Re: [PHP] switch vs elseif
    ... header pg1 code ... In some caes you can use a switch statement to avoid redundant code by ... // something elser ...
    (php.general)
  • RE: [PHP] Re: Which PHP-Editor to use?
    ... Notepad2 is just this little app which has things like language specific ... Subject: [PHP] Re: Which PHP-Editor to use? ... I have worked now for several years happily with homesite 4.5, ... it looks like I have to switch to another system as homesite will not ...
    (php.general)