SitePoint Sponsor

User Tag List

Page 1 of 2 12 LastLast
Results 1 to 25 of 29
  1. #1
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Multiple checkboxes

    Hello,

    If you have several checkboxes with the same name, and someone checks more than one box, will the results variable be an array?

    Example:

    Code:
    <INPUT TYPE="checkbox" NAME="transport" VALUE="car">Car
    <INPUT TYPE="checkbox" NAME="transport" VALUE="train">Train
    <INPUT TYPE="checkbox" NAME="transport" VALUE="bike">Bike
    If someone checks two of the checkboxes, will the variable $transport be an array that contains the the two values?

  2. #2
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You'll have to name them transport[] then each one checked will become an element of the array $transport
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  3. #3
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You mean like this?

    Code:
    <INPUT TYPE="checkbox" NAME="transport[]" VALUE="car">Car
    <INPUT TYPE="checkbox" NAME="transport[]" VALUE="train">Train
    <INPUT TYPE="checkbox" NAME="transport[]" VALUE="bike">Bike
    Are you sure about this? Doesn't feel right.

  4. #4
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well if you aren't sure about it, why don't you test it. But if you want to skip the test, you can trust me it works. If you really want to test it try it like this:

    PHP Code:
    <?
    if($submit) {
        foreach(
    $transport as $val) {
            print 
    "$val<br>";
            }
        }
    ?>
    <form action="<?=$PHP_SELF?>" method="post">
    <input type="checkbox" name="transport[]" value="boat">boat<br>
    <input type="checkbox" name="transport[]" value="plane">plane<br>
    <input type="checkbox" name="transport[]" value="car">car<br>
    <input type="submit" name="submit" value="Submit">
    </form>
    <?
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  5. #5
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ok Freddy,

    I believe you. You seem to be an expert in php ;-)
    (or is it your cat?)

    Thanks

  6. #6
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    i think freddy has been passing on a few tips to his owner

  7. #7
    SitePoint Guru DeNasio's Avatar
    Join Date
    May 2001
    Posts
    830
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Take a look at this code:

    Code:
    <form action="<?=$PHP_SELF?>" method="post">
    <input type="checkbox" name="transport[]" value="">boat<br>
    <input type="checkbox" name="transport[]" value="">plane<br>
    <input type="checkbox" name="transport[]" value="">car<br>
    <input type="submit" name="submit" value="Submit">
    </form>
    I thought that this code will always return an empty array (take a good look at the values)! But when you check a box, the variable $transport will be not empty! How can this be? And how do I make the "" NOT appear in the results of an array?

  8. #8
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Uh... Why would you want to not have values in your checkboxes? I suppose you could itterate through the array lloking for blank elemenets and if you find one remove it.

    PHP Code:
    <?
    if($submit) {

        if(
    $transport) {
            foreach(
    $transport as $key => $val) {
                if(
    $val == '') {
                    
    array_pop($transport);
                    }
                else {
                    continue;
                    }
                }
            print 
    count($transport)."<br>";
            foreach(
    $transport as $val) {
                print 
    "$val<br>";
                }
            }
        }
    ?>
    <form action="<?=$PHP_SELF?>" method="post">
    <input type="checkbox" name="transport[]" value="boat">boat<br>
    <input type="checkbox" name="transport[]" value="plane">plane<br>
    <input type="checkbox" name="transport[]" value="">car<br>
    <input type="submit" name="submit" value="Submit">
    </form>
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  9. #9
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am doing something like that, but with input boxes...do I use that same code?

    I have a number in an input box and it needs to be able to separate item[$num] and the value of it as $val so so I simply modify the code above or do I have to change it?
    Aaron "Theiggsta" Kalin
    Pixel Martini
    Ruby and Rails Developer

  10. #10
    Talk to the /dev/null Theiggsta's Avatar
    Join Date
    Mar 2001
    Location
    Tampa, FL
    Posts
    376
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I got it to work with that above code...took some modifying... (and a quick refresher of the foreach command @ php.net) so it works now with input boxes...
    Aaron "Theiggsta" Kalin
    Pixel Martini
    Ruby and Rails Developer

  11. #11
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Freddy,

    I was just experimenting with this array thing. Take the code below, where you are using the checkbox name (array): transport[] in the HTML code.

    <input type="checkbox" name="transport[]" value="boat">

    Suppose some (stupid) user decides to modify the HTML to:

    <input type="checkbox" name="transport" value="boat">

    thus leaving out the []. On submission, it gives a script error because the script is expecting an array. Similarly, when the script is expecting a scalar value, if some user modifies the HTML to send an array value, it messes up again.

    Any workarounds?

    Arpith

    Originally posted by freddydoesphp

    PHP Code:
    <?
    if($submit) {
        foreach(
    $transport as $val) {
            print 
    "$val<br>";
            }
        }
    ?>
    <form action="<?=$PHP_SELF?>" method="post">
    <input type="checkbox" name="transport[]" value="boat">boat<br>
    <input type="checkbox" name="transport[]" value="plane">plane<br>
    <input type="checkbox" name="transport[]" value="car">car<br>
    <input type="submit" name="submit" value="Submit">
    </form>
    <?

  12. #12
    Node mutilating coot timnz's Avatar
    Join Date
    Feb 2001
    Location
    New Zealand
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    How many people are going to be wanting to do that?

    hehe, also, if they are stupid they are hardly going to be fiddling with your html code are they now?

    I think there is the same problem with every script anybody makes, no real way around it, apart from comparing the code from the previous page somehow to the code it should be. But that would just be very very inefficient.

    And another note,
    If they change the page, they have to refresh the page so that they are using the one they modified, which means they have to save it on their computer first, and change the path in the action attribute of <form>. If they do all of that, then you can safely use $HTTP_REFERER and check they have come from the previous page. (note that it is actually spelt referer, rather than referrer).

  13. #13
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any wannabe hacker who wanted to have a little fun?? The error printed by PHP reveals the PATH to the script remember (unless error reporting is disabled)!

    I reckon the best method would be to check if the variable is an array or not.

    arpith

  14. #14
    Node mutilating coot timnz's Avatar
    Join Date
    Feb 2001
    Location
    New Zealand
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    And they will choose this site out of how many?

    Still, there is always the chance of it happening.

    Also note that, if you are checking to see whether it is an array or not, why can't they enter different values into it, but still make it an array?

  15. #15
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by arpith
    Any wannabe hacker who wanted to have a little fun?? The error printed by PHP reveals the PATH to the script remember (unless error reporting is disabled)!

    I reckon the best method would be to check if the variable is an array or not.

    arpith
    It is essential to prevent hacking of your scripts but if someone wants to send fake data to my script i have no problem with them getting a php script error, making friendly error messages for people who want to try and fake your script data appears to be a bit of a waste of time to me but that is just IMHO.

  16. #16
    SitePoint Evangelist
    Join Date
    Feb 2000
    Location
    England
    Posts
    568
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why does having the path to the script pose any security risk at all? If someone is hosting on a virtual site i can always work out the path to their script just by finding out what the default set up is on that server (ie the FAQ!). can't see how that helps any hacker?

  17. #17
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    If you have this in your HTML (car[]) and are expecting an array of values, you could check for an array with:

    if is_array ($car) { .... }

    If you are expecting a scalar value, I guess you could do:

    if !(is_array ($car)) { .... }



    Its not just the path of the script... it could be the path of php include files (holding db usernames/passwords..). Generally, its not a good idea to display your directory structure :-)

    OTH: you could stop php from displaying std errors with an error handler:

    set_error_handler('error_handler_function');

    Arpith

  18. #18
    SitePoint Enthusiast
    Join Date
    Jul 2000
    Posts
    32
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    <form action="<?=$PHP_SELF?>" method="post">
    <input type="checkbox" name="transport[]" value="boat">boat<br>
    <input type="checkbox" name="transport[]" value="plane">plane<br>
    <input type="checkbox" name="transport[]" value="">car<br>
    <input type="submit" name="submit" value="Submit">
    </form>
    Does the array always contain the values in the same order as in the form? If I check all the checkboxes in the example above, will $transport always be ("boat","plane","car")?

  19. #19
    ********* Callithumpian silver trophy freakysid's Avatar
    Join Date
    Jun 2000
    Location
    Sydney, Australia
    Posts
    3,798
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I am writing some scripts at the moment that go through a sign-up process invlolving a couple of forms, a confirmation email and a couple of more forms before the transaction is complete. Basically, I am testing that $HTTP_REFERER is from my domain for all the forms and testing that *every* value I expect should be in the $HTTP_POST_VARS array is there. If either of these are false I send a header and redirect the user to the index page. I don't want anyone trying to pass dubious data in the url or trying to open a socket to my script remotely, etc.

  20. #20
    SitePoint Zealot
    Join Date
    May 2000
    Posts
    150
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    nasio,

    I think they will be in order.

    Arpith

  21. #21
    SitePoint Member
    Join Date
    May 2001
    Location
    Hamburg, Germany
    Posts
    18
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Freakysid,

    I know $HTTP_REFERER but I am not sure what $HTTP_POST_VARS does.
    As I wanted to make sure that a certain page of my site is only diaplayed when it is called by another of my pages I started testing $HTTP_REFERER. I created the follwing two two test files: test1.html and test2.php.

    test1.html:
    <html>
    <head>
    <title>Untitled</title>
    </head>
    <body>
    <a href="test2.php?HTTP_REFERER=something">Click here</a>
    </body>
    </html>

    test2.php:
    PHP Code:
    <html>
    <head>
        <title>Untitled</title>
    </head>
    <body>
    <?php
        $domain
    =substr($HTTP_REFERER,0,9);
        echo(
    $domain);
    ?>
    </body>
    </html>
    When following the link in test1.html the second page came up with "something"...

    This would mean that any user can circumvent any protections based on $HTTP_REFERER alone. Can the other variable HTTP_POST_VARS help me, how do I use it?

    Frank :-)
    That' it.

  22. #22
    You talkin to me? Anarchos's Avatar
    Join Date
    Oct 2000
    Location
    Austin, TX
    Posts
    1,438
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You can use $HTTP_SERVER_VARS['HTTP_REFERER'] for security.
    ck :: bringing chris to the masses.

  23. #23
    Node mutilating coot timnz's Avatar
    Join Date
    Feb 2001
    Location
    New Zealand
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Out of curiosity, where do the HTTP_SERVER_VARS fit into the variables_order directive in the php.ini file?
    Default is this:
    variables_order = "EGPCS";
    Oh no! the coots are eating my nodes!

  24. #24
    Dumb PHP codin' cat
    Join Date
    Aug 2000
    Location
    San Diego, CA
    Posts
    5,460
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    E - Enviornmental
    G - GET
    P - POST
    C - Cookie
    S - Server
    Please don't PM me with questions.
    Use the forums, that is what they are here for.

  25. #25
    Node mutilating coot timnz's Avatar
    Join Date
    Feb 2001
    Location
    New Zealand
    Posts
    516
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    So therefore, since the server variables will overwrite all the other ones (unless of course you redefine them inside the script), what is the added security of using:
    $HTTP_SERVER_VARS['HTTP_REFERER']
    Except to makesure you don't like change $HTTP_REFERER anywhere in your script.
    Oh no! the coots are eating my nodes!


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •