Answering two in one...
>What do others here use to make their forms safe please?
Use a database table containing amongst others:
- formname
- tablename
- fieldname
- fieldtype
- fieldsize
- index
- hints ("?" icon next to field links to popup with hint on what to put in
this field)
- class (for layout purpose)
and some other info.
If I have to make a form, it is created from the database
($FieldInfo = get_data("select * from forminfotable where
formname='thisform' order by index");
and a session var $_SESSION["FormName"] is set.
When receiving the values I repeat that query and can then do:
foreach ($FieldInfo as $Index=>$Field) {
$Var[$Index] = $_POST[$Field["fieldname"]]; (or
$_GET[$Field["fieldname"]];)
}
more or less of course, as the values need cleanup first (stripping HTML,
code, special characters, escaping others, etc).
Is the most efficient way to construct forms.
Need to modify the form? Just change a few rows in the database and pronto.
>Is anyone able to give a brief start?
Brief enough?
If you really need the variable to get a specific name by the way you can
also use:
$$Field["fieldname"] = $_POST[$Field["fieldname"]];
Or just put a flag in the database signalling to use a named variable (like
above) or an array like the first example.
Now to the other question:
>all my site has URL variable for example this URL
>www.egyptmasters.com/page.php?id=5&category=14
>
>I send the variables as id=5&category=14
>now i am transfering to another host the pages not working because
>they don't see those URL vars .so what do i do ?
But before doing something with them most likely you dont extract them. On
the server of your old host, the values were assigned automatically. This is
the old and unsafe behaviour. Anyone can set any variable used in your
script by passing it in the URL: by simply typing &action=buy or something
alike in the adressbar and then hitting enter.
So: the other host uses RegisterGlobals = off;
No problem, but you will only have access to your GET variables after:
$id=$_GET["id"];
$category=$_GET["category"];
But of course to make your pages and forms more flexible you could also use
the CMS style as given above ;-)
>is there another way of sending variables ?? anyone please help me out
It's not the way of sending them, it's the way of acessing them. And ah, by
the way: there is another way of sending variables: POST.
Marc
Community email addresses:
Post message: [email protected]
Subscribe: [EMAIL PROTECTED]
Unsubscribe: [EMAIL PROTECTED]
List owner: [EMAIL PROTECTED]
Shortcut URL to this page:
http://groups.yahoo.com/group/php-list
Yahoo! Groups Links
<*> To visit your group on the web, go to:
http://groups.yahoo.com/group/php-list/
<*> To unsubscribe from this group, send an email to:
[EMAIL PROTECTED]
<*> Your use of Yahoo! Groups is subject to:
http://docs.yahoo.com/info/terms/
