Dan Tappin wrote:
I have a simple method of creating easy form processing.... I thought....This would be a BIG secuirty issue...as the input is 'tainted' until otherwise proven safe. If you want to do this approach as you go through each POST var, make sure you have a list of valid fields for the table and make sure the field you're setting from POST actually IS a field in the table.
I came up with the idea (I am not claiming to be the first) to have form
elements I want to update via MySQL starting with either "-" or "+".
Example:
+name=DAN
[EMAIL PROTECTED]
-notes=
id=1
The first 2 are required and will be updated, the 3rd is optional and will
be updated and the 4th (id) is simply passed as form data.
The idea here is that I parse the $_POST variable
I see what you're trying to do, I've done something somewhat similar and it doesn't require a + or -.
I wrote a db class which builds my queries for me. Example snippit:
/* -- db.conf -- (table definitions) */
dbNewConn('conn', 'user:password@host');
dbNewDb('database', 'conn');
dbNewTable('my_table', 'database.table_name');
/* -- My script.php -- */
$d = array( 'name' => $_POST['name'],
'email' => $_POST['email']);
dbUpdate('my_table', $d, "id='{$_POST['id']}'");
As dbUpdate gets executed, if the connection isn't up, it connects to the db server, next if it doesn't have a list of fields for the table it lists the fields and 'caches' them during the script execution. And finally it builds the query string. The resulting query is:
UPDATE database.table_name SET `name`='The Name', `email`='[EMAIL PROTECTED]' WHERE id=1;
It handles all escaping, mysql functions etc. (so I could do: 'name' => 'PASSWORD('.$_POST['name'].')' and it would be escaped propperly). This code is running in a production application and have no had any performance problems.
-js
to auto create a "UPDATE table SET name = 'Dan', email = '[EMAIL PROTECTED]' WHERE = 1" string for MySQL.The issue is that if I use the "+" to indicate a required field for error trapping my $_POST array ends up like this: +namD=AN [EMAIL PROTECTED] -notes= id=1 Either this is a PHP / HTTP bug or I am up against some strange post naming restriction. I searched the web, the PHP site (includeing the bugs) and could not spot an obvious reference. Any ideas out there? Dan
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
