PHP form field oddness!

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Got a weird problem and wondered if the people here had ever seen

I have an internal website that is PHP based.  One of the form submit
has tons of fields, so to simplify the updating/inserting of records
(and long term management of the page) I go through the request (HTTP
POST/GET) variables and create an sql statement based on the data.
This means if I add a new database field I can just add the form field
on the page and I do not have to alter the database code.

However now and again a random form field will turn up that is not on
the original page.  The latest is "sageamp".  I have had "s_vnum" and
"SITESERVER".  They look to be related to cookies - eg sageamp seems
to be related to web analysis.  These form fields are unrelated to the
actual PHP code that generates the HTML form - the form fields just
appear on the page.

If the problem occurs I clear the cache (including cookies) and the
problem goes away for a while.  This only occurs in Firefox, however
if I replicated the browsing that firefox has been up to in IE it may
also happen.

The code for doing the DB update,  if you are interested (nothing to
do with the problem I am sure) is:

(note - you can see where I have put exceptions in for the phantom
form fields to allow the code to work - I have since found out that
clearing the cache stops the fields from appearing).

        while(list($key,$val) = each ($_REQUEST))

        if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
"PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
            $sql .= " `$key` = '".addslashes($val)."', ";


Any help appreciated!

Re: PHP form field oddness!

Quoted text here. Click to load it

Don't use $_REQUEST, use $_POST (or $_GET).
An even more secure approach is to use array notation in this form:
<input type="text" name="form[name]" />
Then You will get an easy to read $_POST-Array with:
and Your iteration will be much easier:
while(list($key,$val) = each ($_POST['form'])) ...
without any exceptions

Code like
$key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
Quoted text here. Click to load it

always indicates a wrong approach!


Re: PHP form field oddness!

Quoted text here. Click to load it

You could do an array_merge on $_POST and $_GET or an array_diff withe
$_REQUEST and $_COOKIE, and $_ENV.

Or you could do a DESC $tablename and just add the $_REQUEST keys
which match.


Site Timeline