Help with PHP $_POST

try this instead of using <select>:

Thanks! It worked perfectly once I got rid of the typo "imput" to "input".

Here is the finished code for anyone else who stumbles on this

And while that solution is all well and good, it is not secure. I recommend just using the $id variable in the PHP code if you already have it set, instead of putting it into a hidden input field, because you still have access to the variable and you wouldn't be leaving it open to script manipulation.

and if you put this variable in your db, you should use the function stripinput()

more about stripinput here:
http://code.starefossen.com/infusions.../index.php

... but if that $id is numeric (always), we must use isnum() ...

You should use both then :)

Use stripinput() on variables which are not numeric, explained here.

Use isnum() on variables which should be numeric, explained here.

sorry but I don't get you. when you said "using the $id variable in the PHP code", how should that be implemented? can you give an example?

Thanks in advance.

I'll try to explain how script manipulation works.

Imagine you have this form:

$id = (isnum($_GET['id']) ? $_GET['id'] : "1");
echo "<form action='".FUSION_SELF."?id=".$id."' method='post'>\n";
echo "<input type='hidden' name='id' value='".$id."' />\n";
echo "<input type='text' class='textbox' name='text' value='Type some text here' />\n";
echo "<input type='submit' class='button' name='submit' value='Send' />\n";
echo "</form>\n";

You submit the form and this is the code making the input to the database:

if (isset($_POST['submit']) && isnum($_POST['id'])) {
$text = stripinput($_POST['text']);
$result = dbquery("UPDATE ".DB_TABLE." SET text='".$text."' WHERE id='".$_POST['id']."'");
redirect(FUSION_SELF."?id=".$_POST['id']);
}

As the $_POST['id'] is a hidden input field in the form it can be altered the same way the $_POST['text'] field can, simply edit the source code and you can alter the value of the hidden field to any value:

<input type='hidden' name='id' value='2' />\n

As you can see, the form will submit $_POST['id'] == 2; which is not what we want, as id for this item is 1, the item with id == 2 might have restricted access for the user or might not even exist. If it has restricted access this will allow the hacker to insert data to an item he should not be able to insert data to.

There are several ways to prevent such thing from happening, the easiest way is not relying on hidden fields but using the $_GET['id'] in stead like this:

// We check if the ID is numeric, if not we send them back
if (!isset($_GET['id']) || !isnum($_GET['id'])) { redirect("../index.php"); }

// Check if item exists and that the user have access to it
$result = dbquery("SELECT id, text FROM ".DB_TABLE." WHERE id='".$_GET['id']."' AND ".groupaccess('access')." LIMIT 1");

if (dbrows($result) {
// We can now safely use the $_GET['id'] as we know it exists in the DB and the user have access to the item

if (isset($_POST['submit'])) {
$text = stripinput($_POST['text']);
$result = dbquery("UPDATE ".DB_TABLE." SET text='".$text."' WHERE id='".$_GET['id']."'");
redirect(FUSION_SELF."?id=".$_GET['id']);
}

$data = dbarray($result);

echo "<form action='".FUSION_SELF."?id=".$_GET['id']."' method='post'>\n";
echo "<input type='text' class='textbox' name='text' value='".$data['text']."' />\n";
echo "<input type='submit' class='button' name='submit' value='Send' />\n";
echo "</form>\n";
} else {
echo "Item does not exists or you do not have access to it.";
}

You can read more about the groupaccess() function here.

Great answer Starefossen. ;)