On Tue, 2009-11-24 at 23:27 -0800, Allen McCabe wrote:
> If I were to loop through my inputs, I could just exclude any
> problematic names, eg.:
>
> foreach ($_POST as $var = $val)
> {
> if ($var != filter.x || $var != filter.y)
> {
> $var = $val;
> }
> }
>
> Like that?
>
>
> On Tue, Nov 24, 2009 at 2:34 AM, Ashley Sheridan
> <a...@ashleysheridan.co.uk> wrote:
>
>
> On Tue, 2009-11-24 at 02:11 -0800, Allen McCabe wrote:
>
> > I am! Will these extra query variables cause any problems or
> > should I use standard submit inputs?
> >
> > Thanks Ashley!
> >
> > On Tue, Nov 24, 2009 at 1:10 AM, Ashley Sheridan
> > <a...@ashleysheridan.co.uk> wrote:
> >
> >
> > On Mon, 2009-11-23 at 21:53 -0800, Allen McCabe
> > wrote:
> >
> > > Okay, suddenly I got it to filter the results, but I
> still can't figure out
> > > where this part of the query is coming from, at the end
> of the query string
> > > in the URL, I have this "filter.x=0&filter.y=0".
> > >
> > > No where in my form do I have a field named filter.x or
> filter.y. I DO
> > > however, have 3 forms (I don't want to mess with AJAX),
> my set up looks like
> > > this:
> > >
> > > Filter by:
> > > User - [username dropdown v] Order by [database fields
> v] Asc/Desc
> > > [Ascend v] - Go
> > > School - [school dropdown v] Order by [database fields
> v] Asc/Desc
> > > [Ascend v] - Go
> > > Show - [show dropdown v] Order by [database fields v]
> Asc/Desc [Ascend v]
> > > - Go
> > >
> > > There are actually two order by fields, but this gives
> you the idea. Each of
> > > the three lines is a separate form, each with a unique
> name all with a "get"
> > > method, but all three Go buttons are named "filter", I
> didn't think to try
> > > changing it until now, but is this perhaps where the
> filter.x and filter.y
> > > are coming from? I have never seen this before in a query.
> > >
> > > Oh, now the filter that was working spontaneously gives
> me the error I have
> > > been getting all along, this is so frustrating.
> > >
> > > To those who asked, yes I am connected to the database; I
> forgot to mention
> > > that the else part of my if statement works, as long as I
> don't try to
> > > filter my results it works.
> > >
> > > Here is an example of the URL that my filter function
> (via one of the 3
> > > forms) outputs:
> > >
> http://lpacmarketing.hostzi.com/afy/orders/default.php?filterby=school&schoolid=36&orderby1=order_id&asc_desc_order1=Descend&orderby2=pmt_recd_date&asc_desc_order2=Descend&filter.x=13&filter.y=8&filter=Go
> > >
> > > On Mon, Nov 23, 2009 at 8:03 PM, Philip Thompson
> <philthath...@gmail.com>wrote:
> > >
> > > > On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:
> > > >
> > > > > Hi, thanks for reading, I hope you can help:
> > > > >
> > > > > In my main file for an orders page I have the
> following code:
> > > > >
> > > > >
> > > > > if (isset($_GET['filterby']))
> > > > > {
> > > > > $resultOrders = adminFilterQuery();
> > > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > > }
> > > > > else
> > > > > {
> > > > > $resultOrders = mysql_query("SELECT * FROM
> afy_order;") or
> > > > > die(mysql_error("Could not query the database!"));
> > > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > > }
> > > >
> > > > You reduce this part by one line by putting the
> following after the else
> > > > statement and removing the other 2:
> > > >
> > > > $numberOfOrders = mysql_num_rows ($resultOrders);
> > > >
> > > > Also, these queries don't need a semi-colon (;) to end
> the query. PHP
> > > > handles this part. Remove them.
> > > >
> > > >
> > > > > adminFilterQuery() is a custom function that is
> supposed to return a
> > > > > mysql_query, here are the last few lines of this
> function:
> > > > >
> > > > >
> > > > > $query = "SELECT * FROM afy_order WHERE school_id =
> '{$school}' ORDER BY
> > > > > {$order_by_param};";
> > > > > $result = mysql_query($query);
> > > > > return $result;
> > > > >
> > > > > l am getting this error when I try to filter my query
> using a form in
> > > > tandem
> > > > > with the quey building function:
> > > > >
> > > > > *Warning*: mysql_num_rows(): supplied argument is not
> a valid MySQL
> > > > result
> > > > > resource
> > > > >
> > > > > where the line is the one where I use the
> mysql_num_rows function.
> > > > >
> > > > > What am I missing here?
> > > > >
> > > > > Thanks!
> > > >
> > > > Do you get this warning with both queries? Make sure
> that your queries are
> > > > using a valid mysql connection. You may also consider
> using a database class
> > > > to perform the repetitive tasks so that you really only
> have to be concerned
> > > > with the queries you're writing...?
> > > >
> > > > <?php
> > > > class database {
> > > > public function query ($sql) {
> > > > $result = mysql_query ($sql);
> > > > if ($result === false) {
> > > > die ('Uh oh!');
> > > > }
> > > > return $result;
> > > > }
> > > >
> > > > public function numRows ($result) {
> > > > return mysql_num_rows ($result);
> > > > }
> > > > }
> > > > $db = new database();
> > > > $result = $db->query('SELECT * FROM afy_order');
> > > > $numRows = $db->numRows($result);
> > > > ?>
> > > >
> > > > Of course this is just a simple example, but you get
> the idea. Hope that
> > > > stirs your brain!
> > > >
> > > > ~Philip
> >
> >
> >
> > My guess would be that you're submitting the form
> > using an image button, which would send the x and y
> > coordinates of the click within the button.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> >
> >
> >
>
>
>
>
> The only time they'll cause a problem is if you use some sort
> of loop to translate all the form inputs into something that
> is used in your code. For example, if you looped through all
> the form inputs to create your filter, regardless of what the
> inputs were called, then you would be running into all sorts
> of problems.
>
> This is not something you should try and 'fix' on the
> client-side but the server side, as everything that comes from
> the client is not to be trusted, ever!
>
> Saying that though, I have seen some systems (HSBC payment
> system) reject inputs containing x and y coordinates from
> image buttons and cause the whole form to fail. In your case
> that won't happen, but it's something to keep in mind in the
> future maybe?
>
> If you want to change the button, you could use a regular
> submit button and style it up with css:
>
> #submit_button_id
> {
> border: 0px none;
> background-image: url('button.png');
> background-repeat: no-repeat;
> width: 100px;
> height: 25px;
>
>
> }
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
>
Not really, what if someone else decided they wanted to throw in their
own form field values in the hope of breaking your system? It's much
better to be specifically looking for certain form fields and certain
field values/ranges. For example, if you had some fields that would
filter something by cost, you might have two form fields named 'max' and
'min' which would be ranges for the cost. You should check that these
fields only contain numbers for example before processing them. Any data
coming from the client-side is untrustworthy and should be regarded as
tainted until you can prove otherwise.
Thanks,
Ash
http://www.ashleysheridan.co.uk
