Tycoon Talk
Become a Big fish!
The number 1 forum for online business!
Post topics, ask questions, share your knowledge.
Tycoon Talk is part of Freelancer.com - find skilled workers online at a fraction of the cost.

PHP Forum


You are currently viewing our PHP Forum as a guest. Please register to participate.
Login


Tycoon Talk > Web Development and Programming Support > PHP Forum > $_POST modifying variables

Freelance Jobs

Reply
$_POST modifying variables
Old 02-09-2011, 01:37 PM $_POST modifying variables
Extreme Talker

Posts: 173
Trades: 0
Talkupation: dgkindy is on a distinguished road
I have posted some values and when I move through the array it is changing out a '.' for a '_' . To trouble shoot it, I print out the value after I assign it to the text field as shown below using
PHP Code:
      echo $rw_variable['field'].'<br />'
Quote:
Array ( ) tbl_sod.sod_id
I then print out the resulting array using
PHP Code:
print_r($_POST); 
and you will notice that the '.' has been replaced by '_'. I am not doing any parsing on the string.

Quote:
Array ( [tbl_sod_sod_id] => 1871 [doc] => 3418499-015 [rev] => B [doc_desc] => SKID HARDWARE LIST [required_status] => [esod] => 1 [isod] => 1 [pages] => 1 [status] => [eng_error] => 11 [draft_error] => 21 [vendor_error] => 31 [sourcing_error] => 41 [value_eng] => 51 [requested_change] => 61 [spec_conflict] => 71 [direction_deficient] => 81 [schedule_issue] => 91 [mfg_error] => 101 [comment] => HELLO ) UPDATE SET tbl_sod_sod_id=1871 doc=3418499-015 rev=B doc_desc=SKID HARDWARE LIST required_status=NULL esod=1 isod=1 pages=1 status=NULL eng_error=11 draft_error=21 vendor_error=31 sourcing_error=41 value_eng=51 requested_change=61 spec_conflict=71 direction_deficient=81 schedule_issue=91 mfg_error=101 comment=HELLO WHERE tbl_sod_sod_id=1871

Does $_POST perform some sort of real_escape_string function on variables?

PHP Code:
<?php
// set up global variables 
@include 'menu.php';
$one_day =24*60*60;
$one_week=7*$one_day;
$one_month=4.33*$one_week;
$sql_page='SELECT `interface`,`sql`,`where` FROM `tbl_list_page` WHERE `page_id`='.$_SESSION['pg'];
$rw_page=mysql_fetch_assoc(query($sql_page));
print_r($_POST);
//Records the columns to be displayed
if(isset($_POST["console"])) my_console($_POST['console'],$rw_page['interface']);
elseif(!empty($_POST)){
 $sql='UPDATE '.substr(key($_POST),0,strpos(key($_POST),".")).' SET '
 while(list($key,$val)=each($_POST)){
  if(!empty($val)) $sql.=$key.'='.strtoupper(mysql_real_escape_string($val)).' '
  else    $sql.=$key.'=NULL '
 }
 reset($_POST);
 $sql.='WHERE '.key($_POST).'='.$_POST[key($_POST)];
 echo $sql;
// $result=query($sql);
}
//Determines if user wants to view or modify console
for ($x=0;$x<strlen($_SESSION[$rw_page['interface']]);$x++){
 if(isset($_GET['modify']))   $col[$x]=1//Modify user console
 else       $col[$x]=substr($_SESSION[$rw_page['interface']],$x,1); 
}
if(isset($_GET['r'])) $r=$_GET['r'];
if(empty($r))   $r=0;
$sql_variable='SELECT * FROM tbl_list_page_variable WHERE page_id='.$_SESSION['pg'].' ORDER BY pages_variables_id ASC';
$r_variable=query($sql_variable);
//Creates fields allowing user to turn on and off specific columns
if(isset($_GET["modify"])){
    $str_console='<form action="display_project_list.php" method="post">'.
   '<tr>'.
    '<td><input type="submit" value="Update" /></td>'.
    '<td> Console: '.
    '<select name="console[]">';
     if ($col[0]==1$str_console.='<option value="1" selected="selected">All Projects</option>';
     else   $str_console.='<option value="1" >All Projects</option>';
     if ($col[0]==2$str_console.='<option value="2" selected="selected">My Projects</option>';
     else   $str_console.='<option value="2" >My Projects</option>';
     $str_console.='</select></td>';
    for ($x=1;$x<strlen($_SESSION['home']);$x++){
     $str_console.='<td><input type="checkbox" name="console[]" value="'.$x.'" checked="'.$col[$x].'" /></td>';
    }
  $str_console.='</tr></form>';
 echo $str_console;
$x=1;
mysql_data_seek($r_variable,0);
while ($rw_variable=mysql_fetch_assoc($r_variable)) { 
 if (!empty($col[$x])) {
  $sql_data.=$rw_variable['field'].', '//Generates sql string for required fields 
  switch ($rw_variable['hdr_function']){
   case "N"//Allows for adding new data to table
    $str_header='<th><a href="display_page.php?n=1"><img src="images/bluecross.gif" alt="New..."></a></th>';
    break;
   case NULL//Place holder for no header
    $str_header.='<th></th>';
    break;
   case 1:  //Sortable column
    $str_header.='<th><a href="display_page.php?o='.$x.'&r='.!$r.'"><b>'.$rw_variable['header'].'</b></a></th>';
    break;
   default: //Static column
    $str_header.='<th><b>'.$rw_variable['header'].'</b></th>';
    break;
  }
 $x++;
 }
}
$str_header.='</tr>'//Closes off table row for header
}
//Creates datagrid header for page
$sql_data='SELECT ';
$str_header='<tr>'//Opens header row
$x=1;
mysql_data_seek($r_variable,0);
while ($rw_variable=mysql_fetch_assoc($r_variable)) { 
 if (!empty($col[$x])) {
  $sql_data.=$rw_variable['field'].', '//Generates sql string for required fields 
  switch ($rw_variable['hdr_function']){
   case "N"//Allows for adding new data to table
    $str_header='<th><a href="display_page.php?n=1"><img src="images/bluecross.gif" alt="New..."></a></th>';
    break;
   case NULL//Place holder for no header
    $str_header.='<th></th>';
    break;
   case 1:  //Sortable column
    $str_header.='<th><a href="display_page.php?o='.$x.'&r='.!$r.'"><b>'.$rw_variable['header'].'</b></a></th>';
    break;
   default: //Static column
    $str_header.='<th><b>'.$rw_variable['header'].'</b></th>';
    break;
  }
 $x++;
 }
}
$str_header.='</tr>'//Closes off table row for header
$sql_data=substr($sql_data,0,-2); 
$sql_data.=' '.$rw_page['sql']; //completes sql statement for data query
//echo $sql_data.$sql_edit.'<br />';
//Determines if user wants to enter a new record
if(isset($_GET['n'])){
 $tabindex=1;
 mysql_data_seek($r_variable,0);
 while ($rw_variable=mysql_fetch_assoc($r_variable)) {
  switch ($rw_variable['e_format']){
   case "U"//Insert update button
    $str_new='<form action="display_page.php?pg='.$_SESSION['pg'].'" method="post"><tr>'.
          '<td><input type="submit" value="Update" /></td>';
    break;
   case "ddds"://Display dropdown list for all available document statuses
    $str_new.=dropdown_field(remove_table($rw_variable['field']),0,"st");
    break;
   case "ddfp"://Display dropdown list for availableoptions (Form, Procedure, Work Instruction)
    $str_new.=dropdown_field(remove_table($rw_variable['field']),0,"fp");
    break;
   case "ddrs"://Display dropdown list of available final completion document statuses
    $str_new.=dropdown_field(remove_table($rw_variable['field']),0,"rs");
    break;
   case "ddyn"://Display dropdown list for yes/no options
    $str_new.=dropdown_field(remove_table($rw_variable['field']),0,"yn");
    break;
   case 1:  //Display textbox to allow editing
    $str_new.='<td><input type="text" maxlength="'.$rw_variable['e_maxlength'].'" size="'.$rw_variable['e_size'].'" name="'.remove_table($rw_variable['field']).'" tabindex="'.$tabindex++.'"></td>';
    break;
   case 3:  //Display checkbox
    $str_new.='<td><input type="checkbox" name="'.remove_table($rw_variable['field']).'" value="1" checked tabindex="'.$tabindex++.'"></td>';
    break;
   case 4:  //Display calendar
    $str_new.='<td>calendar</td>';
 /*   ?>
    <script>
     DateInput('ship_date')
    </script>
    <?php
    break;
   default: //Null:  Displays text only
    $str_new.='<td></td>';*/
    break;
  }
 }
 $str_new.='</tr>'//Closes new row
}
//Determines if user wants to edit recordset
if(isset($_GET['e'])){
 $tabindex=1;
 mysql_data_seek($r_variable,0);
 $rw_variable=mysql_fetch_assoc($r_variable);
 $sql_edit=' WHERE '.$rw_variable['field'].'="'.$_GET['e'].'"';
 $rw_edit=mysql_fetch_assoc(query($sql_data.$sql_edit));
 mysql_data_seek($r_variable,0);
 while ($rw_variable=mysql_fetch_assoc($r_variable)) { 
  switch ($rw_variable['e_format']){
   case "U"//Inserts update button
    $str_edit='<form action="display_page.php?pg='.$_SESSION['pg'].'" method="post"><tr>'.
           '<td><input type="submit" value="Update" />'.
           '<input type="hidden" name="'.$rw_variable['field'].'" value="'.$rw_edit[remove_table($rw_variable['field'])].'"></td>';
      echo $rw_variable['field'].'<br />';
    break;
   case 1:  //Display textbox to allow editing
    $str_edit.='<td><input type="text" maxlength="'.$rw_variable['e_maxlength'].'" size="'.$rw_variable['e_size'].'" name="'.remove_table($rw_variable['field']).'" value="'.$rw_edit[remove_table($rw_variable['field'])].'" tabindex="'.$tabindex++.'"></td>';
    break;
   case "ddds"://Display dropdown list for all available document statuses
    $str_edit.=dropdown_field(remove_table($rw_variable['field']),$rw_edit[remove_table($rw_variable['field'])],"ds");
    break;
   case "ddfp"://Display dropdown list for availableoptions (Form, Procedure, Work Instruction)
    $str_edit.=dropdown_field(remove_table($rw_variable['field']),$rw_edit[remove_table($rw_variable['field'])],"fp");
    break;
   case "ddrs"://Display dropdown list of available final completion document statuses
    $str_edit.=dropdown_field(remove_table($rw_variable['field']),$rw_edit[remove_table($rw_variable['field'])],"rs");
    break;
   case "ddyn"://Display dropdown list for yes/no options
    $str_edit.=dropdown_field(remove_table($rw_variable['field']),$rw_edit[remove_table($rw_variable['field'])],"yn");
    break;
   case 3:  //Display checkbox
    if(empty($rw_edit[remove_table($rw_variable['field'])]))$str_edit.='<td><input type="checkbox" name="'.remove_table($rw_variable['field']).'" tabindex="'.$tabindex++.'"></td>';
    else             $str_edit.='<td><input type="checkbox" name="'.remove_table($rw_variable['field']).'" value="1" checked tabindex="'.$tabindex++.'"></td>';
    break;
   case 4:  //Display calendar
    $str_edit.='<td>calendar</td>';
    break;
   default: //Null:  Displays text only
    $str_edit.='<td>'.$rw_edit[remove_table($rw_variable['field'])].'</td>';
    break;
  }
 }
 $str_edit.='</tr>'//Closes edit row
}
if(isset($_GET['pg'])){
 unset($_SESSION['where']);
 switch ($rw_page['where']){ //Determines {Where} requirements
  case 1//Project specific details
   $_SESSION['where']=' '.'WHERE project_id='.$_SESSION["project_id"];
   break;
 }
}
//Concatenates addition WHERE conditions
mysql_data_seek($r_variable,0);
while ($rw_variable=mysql_fetch_assoc($r_variable)) {
 if(isset($_GET[remove_table($rw_variable['field'])])){
  if($rw_page['where'])  $_SESSION['where'].=' AND ';
  else     $_SESSION['where'].=' WHERE ';
  $_SESSION['where'].=$rw_variable['field'].'="'.$_GET[remove_table($rw_variable['field'])].'"';
 }
}
if(!empty($_SESSION['where'])) $sql_data.=$_SESSION['where'];
//Concatenates ORDER BY condition
if(isset($_GET['o'])){
 $x=1;
 mysql_data_seek($r_variable,0);
 while ($rw_variable=mysql_fetch_assoc($r_variable)) { 
  if (!empty($col[$x])) {
   if($_GET['o']==$x++) $sql_data.=' ORDER BY '.$rw_variable['field'];
  }
 }
 if ($r==1)    $sql_data.=' DESC ';
 else     $sql_data.=' ASC ';
}
//Create datagrid
$x=1;
$i=0;
$r_data=query($sql_data);
echo '<body><table class="datagrid">';
if(isset($_GET['n'])) echo $str_new;   //Displays blanks row
if(isset($_GET['e'])) echo $str_edit;   //Displays selected row for editing
while ($rw_data=mysql_fetch_assoc($r_data)) {  
 //Repeats header based on user setting
 if($_SESSION['header_repeat']==0)  echo $str_header;
 if(!empty($_SESSION['header_repeat'])){
  $remainder=$i $_SESSION['header_repeat'];
  if(empty($remainder))       echo $str_header;
 }
 $str_row='<tr class=d'.($i++ & 1).'>';
 mysql_data_seek($r_variable,0);
 while ($rw_variable=mysql_fetch_assoc($r_variable)) { 
  switch ($rw_variable['dg_function']){
   case "E"//Inserts column to allow editing of data row
    $str_row.='<td><a href="display_page.php?e='.$rw_data[remove_table($rw_variable['field'])].'"><img src="images/pencil.gif" alt="Edit"></a></td>';
    break;
   case "/":  //Blank line
    $str_row.='<td></td>';
    break;
   case 1:  //displays text with where function to allow filtering of item
    $str_row.='<td><a href="display_page.php?'.remove_table($rw_variable['field']).'='.$rw_data[remove_table($rw_variable['field'])].'">'.$rw_data[remove_table($rw_variable['field'])].'</a></td>';
    break;
   case 'ps':  //displays text with where function to allow filtering of item
    if(isset($rw_data[remove_table($rw_variable['field'])])){
     $sql='SELECT tbl_staff.staff_id, IF( alias IS NULL , CONCAT(first_name,\' \',surname) , CONCAT(alias,\' \',surname)) AS name '.
          'FROM tbl_staff '.
             'WHERE staff_id='.$rw_data[remove_table($rw_variable['field'])];
     $row=mysql_fetch_assoc(query($sql));
    }    
    $str_row.='<td><a href="display_page.php?'.remove_table($rw_variable['field']).'='.$rw_data[remove_table($rw_variable['field'])].'">'.$row['name'].'</a></td>';
    break;
   case 2:
    if  ($rw_data[remove_table($rw_variable['field'])]==1)  $str_row.='<td><img src="images/ok.gif"></td>';
    elseif (isset($rw_data[remove_table($rw_variable['field'])])) $str_row.='<td><img src="images/nok.gif"></td>';
    else               $str_row.='<td>?</td>';
    break;
   case 3:
    if  ($rw_data[remove_table($rw_variable['field'])]==1$str_row.='<td>F</td>';
    elseif ($rw_data[remove_table($rw_variable['field'])]==0$str_row.='<td>P</td>';
    else              $str_row.='<td>?</td>';
    break;
   case 4:  //Removes trailing zeros from numbers
    $str_row.='<td>'.trim_zero($rw_data[remove_table($rw_variable['field'])]).'</td>';
    break;
   case 5:  //Creates hyperlink text to URL address
    $str_row.='<td><a href="'.$rw_data['url'].'" target="_blank">'.$rw_data[remove_table($rw_variable['field'])].'</a></td>';
    break;
   case 6:  //Determines if material is late compared to required/current date
    if($rw_data['status']!="Plant" && !empty($rw_data['edate'])){
    echo $rw_data['status'].'<br />'.$rw_data['edate'];
     $delta=strtotime($rw_data['edate'])-strtotime($rw_data['rdate']);
     if  (strtotime($rw_data['edate'])<time())  $alert="d4"//Material is over due
     elseif ($delta>$one_week)       $alert="d3"//Later then one week
     elseif ($delta<$one_week AND $delta>$one_day)  $alert="d2"//Late within one week 
     elseif ($delta>-$one_month AND $delta<-2*$one_week)$alert="d1"//Early within one month
     elseif ($delta<-$one_month)      $alert="d0"//Earlier then one month
     else            $alert="";
    echo $alert;
    }
    $str_row.='<td class='.$alert.'>'.$rw_data['edate'].'</td>';
    break;
   default: //Null:  display text only
    $str_row.='<td>'.$rw_data[remove_table($rw_variable['field'])].'</td>';
    break;
  }    
 }  
 $str_row.='</tr>';
 $x=1;
 echo $str_row;
}
echo '</table></body></html>';
//Isolates field name from table reference
function remove_table($string) {
 if(strpos($string,".")) $field=substr($string,strpos($string,".")+1);
    else     $field=$string;
 return $field;
 }
//Removes trailing zeroes from a number if not required
function trim_zero($value){
 if($value-floor($value))$qty=$value;
 else     $qty=number_format($value0'.'',');
 return $qty;
}
function dropdown_field($field,$value,$preference){
 switch ($preference){
  case "yn":
   $option=array("Yes","No","?");
   $index=array(1,0,NULL);
   break;
  case "fp"
   $option=array("Work Instruction","Form","Procedure","?");
   $index=array(2,1,0,NULL);
   break;
  case "rs"//Required documet status
   $option=array("?");
   $index=array(NULL);
   $sql='SELECT status_id, `status` FROM `tbl_list_status` WHERE `final` IS NOT NULL';
   $result=query($sql);
   while ($row=mysql_fetch_assoc($result)) {
    array_push($option,$row['status']);
    array_push($index,$row['status_id']);
   }
   break;
  case "ds"//Document status
   $option=array("?");
   $index=array(NULL);
   $sql='SELECT status_id, status FROM tbl_list_status';
   $result=query($sql);
   while ($row=mysql_fetch_assoc($result)) {
    array_push($option,$row['status']);
    array_push($index,$row['status_id']);
   }
   break;
  case "ps"//Project specific staff
   $option=array("?");
   $index=array(NULL);
   $sql='SELECT tbl_staff.staff_id, IF( alias IS NULL , CONCAT(first_name,\' \',surname) , CONCAT(alias,\' \',surname)) AS name '.
        'FROM (tbl_staff INNER JOIN (tbl_project INNER JOIN tbl_team ON tbl_project.project_id =tbl_team.project_id) ON tbl_staff.staff_id = tbl_team.staff_id) '.
           'INNER JOIN tbl_company ON tbl_staff.company_id = tbl_company.company_id '.
        'WHERE tbl_team.project_id='.$_SESSION['project_id'].' '.
        'ORDER BY name ASC';
   $result=query($sql);
   while ($row=mysql_fetch_assoc($result)) {
    array_push($option,$row['status']);
    array_push($index,$row['staff_id']);
   }
   break;
 } 
 $x=0;
 $string='<td><select  class="text" name="'.$field.'">';
 foreach($index as &$i){
  if ($i==$value)
   $string.='<option value="'.$i.'" selected>'.$option[$x++].'</option>';
  else
   $string.='<option value="'.$i.'">'.$option[$x++].'</option>';
 }
 $string.='</select></td>';
 return $string;
}
?>
dgkindy is offline
Reply With Quote
View Public Profile
 
 
Register now for full access!
Old 02-09-2011, 03:33 PM Re: $_POST modifying variables
RonnieTheDodger's Avatar
Extreme Talker

Latest Blog Post:
WordPress Plugin: WP-SimplyHired API version 0.2.1...
Posts: 232
Location: Central USA
Trades: 0
Talkupation: RonnieTheDodger is on a distinguished road
The $_POST variable is being sanitized. Per the PHP: Variables From External Sources - Manual:

Quote:
Dots and spaces in variable names are converted to underscores. For example <input name="a.b" /> becomes $_REQUEST["a_b"].
And addtionally:

Quote:
Dots in incoming variable names

Typically, PHP does not alter the names of variables when they are passed into a script. However, it should be noted that the dot (period, full stop) is not a valid character in a PHP variable name. For the reason, look at it:
<?php
$varname.ext; /* invalid variable name */
?>
Now, what the parser sees is a variable named $varname, followed by the string concatenation operator, followed by the barestring (i.e. unquoted string which doesn't match any known key or reserved words) 'ext'. Obviously, this doesn't have the intended result.

For this reason, it is important to note that PHP will automatically replace any dots in incoming variable names with underscores.
__________________
Ronnie T. Dodger

[
Please login or register to view this content. Registration is FREE
] [
Please login or register to view this content. Registration is FREE
]
Last edited by RonnieTheDodger; 02-09-2011 at 03:35 PM..
RonnieTheDodger is offline
Reply With Quote
View Public Profile Visit RonnieTheDodger's homepage!
 
Reply     « Reply to $_POST modifying variables
 
Previous Thread | Next Thread Tycoon Talk > Web Development and Programming Support > PHP Forum > $_POST modifying variables

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




   
RSS Feed  Feeds: RSS   JS   XML
RSS Feed  Feeds for this forum: RSS   JS   XML



Page generated in 0.12175 seconds with 12 queries