Loading ...
Sorry, an error occurred while loading the content.

Re: [forms-dev] Linked Select Value Not Passing Problem

Expand Messages
  • Manuel Lemos
    Hello, ... There was a bug in the linked select plug-in class that affected it when the options used were numeric. The bug was fixed in the latest release some
    Message 1 of 11 , Aug 25, 2005
    • 0 Attachment
      Hello,

      on 08/25/2005 01:23 PM operationsengineer1@... said the following:
      > the problem i'm having now is that the linked select
      > box isn't passing a value. in my case, my parent link
      > is assembly number and child link is serial number.
      > the serial number value isn't passing via
      > POST['serial_number'].
      >
      > the serial number values display just fine.
      >
      > i did a print_r() on assembly_number:
      >
      > Array ( [] => Enter Assembly Number [5] => 02 )
      >
      > and on serial number:
      >
      > Array ( [] => Array ( [] => Enter Serial Number ) [5]
      > => Array ( [] => Choose Serial Number [1] => 1 [2] =>
      > 2 [3] => 3 [4] => 4 [5] => 5 ) )
      >
      > does this look correct? i have one assembly number
      > (02) with associated serial numbers (1,2,3,4,5).
      >
      > i definitely select the serial number with my mouse
      > when filling out the form, but the id will not display
      > when i echo it after checking that the "doit" submit
      > button was checked.

      There was a bug in the linked select plug-in class that affected it when
      the options used were numeric. The bug was fixed in the latest release
      some time ago. Just download it and you should have no more problems.

      --

      Regards,
      Manuel Lemos

      PHP Classes - Free ready to use OOP components written in PHP
      http://www.phpclasses.org/

      PHP Reviews - Reviews of PHP books and other products
      http://www.phpclasses.org/reviews/

      Metastorage - Data object relational mapping layer generator
      http://www.meta-language.net/metastorage.html
    • operationsengineer1@yahoo.com
      hi Manuel, i downloaded the latest and greatest a few minutes ago. the value of the linked select still does not pass through. $form- AddInput(array(
      Message 2 of 11 , Aug 25, 2005
      • 0 Attachment
        hi Manuel,

        i downloaded the latest and greatest a few minutes
        ago. the value of the linked select still does not
        pass through.

        $form->AddInput(array(
        'TYPE'=>'custom',
        'NAME'=>'serial_number',
        'ID'=>'serial_number',
        'CustomClass'=>'form_linked_select_class',
        'VALUE'=>$first_serial_number_id,
        'Groups'=>$groups_serial_number,
        'SIZE'=>4,
        'STYLE'=>'width:14.5em;',
        'LinkedInput'=>'product',
        'LABEL'=>'Serial Number',
        'TABINDEX'=>4,
        'ValidateAsNotEmpty'=>1,
        'ValidationErrorMessage'=>'you must enter the
        serial number'
        ));

        once i check for "doit" submission, this code yields
        emptyness...

        echo '<br/>'.$serial_number_id =
        $_POST['serial_number'];

        (i test all values - all other form elements yield
        their correct values).

        i think my code is right (no typos, etc.).

        everything in the form displays very nicely, though,
        so that leads me to believe the arrays are structured
        correctly and the id is available to pass.

        is there extra code required to pass the linked select
        value due to its being linked or should it pass like
        any other form elements once it has been selected?

        tia...


        --- Manuel Lemos <mlemos@...> wrote:

        > Hello,
        >
        > on 08/25/2005 01:23 PM operationsengineer1@...
        > said the following:
        > > the problem i'm having now is that the linked
        > select
        > > box isn't passing a value. in my case, my parent
        > link
        > > is assembly number and child link is serial
        > number.
        > > the serial number value isn't passing via
        > > POST['serial_number'].
        > >
        > > the serial number values display just fine.
        > >
        > > i did a print_r() on assembly_number:
        > >
        > > Array ( [] => Enter Assembly Number [5] => 02 )
        > >
        > > and on serial number:
        > >
        > > Array ( [] => Array ( [] => Enter Serial Number )
        > [5]
        > > => Array ( [] => Choose Serial Number [1] => 1 [2]
        > =>
        > > 2 [3] => 3 [4] => 4 [5] => 5 ) )
        > >
        > > does this look correct? i have one assembly
        > number
        > > (02) with associated serial numbers (1,2,3,4,5).
        > >
        > > i definitely select the serial number with my
        > mouse
        > > when filling out the form, but the id will not
        > display
        > > when i echo it after checking that the "doit"
        > submit
        > > button was checked.
        >
        > There was a bug in the linked select plug-in class
        > that affected it when
        > the options used were numeric. The bug was fixed in
        > the latest release
        > some time ago. Just download it and you should have
        > no more problems.
        >
        > --
        >
        > Regards,
        > Manuel Lemos
        >
        > PHP Classes - Free ready to use OOP components
        > written in PHP
        > http://www.phpclasses.org/
        >
        > PHP Reviews - Reviews of PHP books and other
        > products
        > http://www.phpclasses.org/reviews/
        >
        > Metastorage - Data object relational mapping layer
        > generator
        > http://www.meta-language.net/metastorage.html
        >




        ____________________________________________________
        Start your day with Yahoo! - make it your home page
        http://www.yahoo.com/r/hs
      • Manuel Lemos
        Hello, ... Of course. That is not the way to get the input value. What you should use is to call the form function GetInputValue( serial_number ) after calling
        Message 3 of 11 , Aug 25, 2005
        • 0 Attachment
          Hello,

          on 08/25/2005 02:24 PM operationsengineer1@... said the following:
          > $form->AddInput(array(
          > 'TYPE'=>'custom',
          > 'NAME'=>'serial_number',
          > 'ID'=>'serial_number',
          > 'CustomClass'=>'form_linked_select_class',
          > 'VALUE'=>$first_serial_number_id,
          > 'Groups'=>$groups_serial_number,
          > 'SIZE'=>4,
          > 'STYLE'=>'width:14.5em;',
          > 'LinkedInput'=>'product',
          > 'LABEL'=>'Serial Number',
          > 'TABINDEX'=>4,
          > 'ValidateAsNotEmpty'=>1,
          > 'ValidationErrorMessage'=>'you must enter the
          > serial number'
          > ));
          >
          > once i check for "doit" submission, this code yields
          > emptyness...
          >
          > echo '<br/>'.$serial_number_id =
          > $_POST['serial_number'];

          Of course. That is not the way to get the input value. What you should
          use is to call the form function GetInputValue('serial_number') after
          calling LoadInputValues and Validate .


          --

          Regards,
          Manuel Lemos

          PHP Classes - Free ready to use OOP components written in PHP
          http://www.phpclasses.org/

          PHP Reviews - Reviews of PHP books and other products
          http://www.phpclasses.org/reviews/

          Metastorage - Data object relational mapping layer generator
          http://www.meta-language.net/metastorage.html
        • operationsengineer1@yahoo.com
          $serial_number=$form- GetInputValue( serial_number ); worked like a charm! thanks. i ve been using the $_POST method to get my values on form submission. it
          Message 4 of 11 , Aug 25, 2005
          • 0 Attachment
            $serial_number=$form->GetInputValue('serial_number');

            worked like a charm! thanks.

            i've been using the $_POST method to get my values on
            form submission. it has always worked up until now.

            is there a compelling reason to use GetInputValue()
            over $_POST when both methods work or should i just
            use GetInputValue() in a case like this where $_POST
            won't work?

            thanks again...

            __________________________________________________
            Do You Yahoo!?
            Tired of spam? Yahoo! Mail has the best spam protection around
            http://mail.yahoo.com
          • Manuel Lemos
            Hello, ... Using the function is the recommended way. What you did is not supported as you have seen it may not work using $_POST. Depeding on your php.ini
            Message 5 of 11 , Aug 25, 2005
            • 0 Attachment
              Hello,

              on 08/25/2005 03:57 PM operationsengineer1@... said the following:
              > $serial_number=$form->GetInputValue('serial_number');
              >
              > worked like a charm! thanks.
              >
              > i've been using the $_POST method to get my values on
              > form submission. it has always worked up until now.
              >
              > is there a compelling reason to use GetInputValue()
              > over $_POST when both methods work or should i just
              > use GetInputValue() in a case like this where $_POST
              > won't work?

              Using the function is the recommended way. What you did is not supported
              as you have seen it may not work using $_POST. Depeding on your php.ini
              settings the class may perform adjustments to the loaded values like
              removing escape characters, discarding invalid values, apply the
              requested server side transformations, etc..

              --

              Regards,
              Manuel Lemos

              PHP Classes - Free ready to use OOP components written in PHP
              http://www.phpclasses.org/

              PHP Reviews - Reviews of PHP books and other products
              http://www.phpclasses.org/reviews/

              Metastorage - Data object relational mapping layer generator
              http://www.meta-language.net/metastorage.html
            • operationsengineer1@yahoo.com
              hi Manueal, how good a job does GetInputValue() do in preventing SQL injection attacks? is there anything else i should do to protect myself beyond using
              Message 6 of 11 , Aug 25, 2005
              • 0 Attachment
                hi Manueal,

                how good a job does GetInputValue() do in preventing
                SQL injection attacks?

                is there anything else i should do to protect myself
                beyond using GetInputValue() instead of $_POST?

                as always... tia...



                __________________________________
                Do you Yahoo!?
                Read only the mail you want - Yahoo! Mail SpamGuard.
                http://promotions.yahoo.com/new_mail
              • Manuel Lemos
                Hello, ... The forms class has nothing to do with SQL queries. However, you should not use any values from forms before they are validated. If you expect that
                Message 7 of 11 , Aug 25, 2005
                • 0 Attachment
                  Hello,

                  on 08/25/2005 06:54 PM operationsengineer1@... said the following:
                  > how good a job does GetInputValue() do in preventing
                  > SQL injection attacks?

                  > is there anything else i should do to protect myself
                  > beyond using GetInputValue() instead of $_POST?

                  The forms class has nothing to do with SQL queries. However, you should
                  not use any values from forms before they are validated.

                  If you expect that certain values from form inputs be a of certain type,
                  you should use the necessary validation rules to prevent that invalid
                  values be accepted and used to exploit your applications.

                  For instance, if you expect that a field contains an integer, just use
                  ValidateAsInteger parameter, call Validate and then GetInputValue to use
                  it in any queries.

                  Also if you are passing contextual values in hidden fields, it does not
                  make much sense to tell the user that the values are invalid because he
                  will not be able to fix values in hidden fields.


                  In that case you can simply tell the forms class to silently discard any
                  invalid values using the DiscardInvalidValues parameter in conjunction
                  with other Validation parameters.

                  This may save you from exploits cause by forged values passed as hidden
                  fields. The main example script test_form.php shows an example of usage.

                  Anyway, most SQL injection exploits are cause by the use of values in
                  SQL queries that are not properly escaped. Escaping values is not the
                  purpose of the form class because it depends on your purpose.

                  For SQL queries there is not a single solution as each database performs
                  escaping in their own way. AddSlashes only works for text values with
                  some databases.

                  For a database independent solution, you may want to look at Metabase
                  with a database abstraction package focused on total database
                  application portability. It works with many databases and among many
                  other portability features, it provide data type value mapping. This
                  means that for text values it can escape such values correctly according
                  to each database, but it also provides proper mapping of values of other
                  database data types.


                  --

                  Regards,
                  Manuel Lemos

                  PHP Classes - Free ready to use OOP components written in PHP
                  http://www.phpclasses.org/

                  PHP Reviews - Reviews of PHP books and other products
                  http://www.phpclasses.org/reviews/

                  Metastorage - Data object relational mapping layer generator
                  http://www.meta-language.net/metastorage.html
                • operationsengineer1@yahoo.com
                  thanks a lot for the great information. ... __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam
                  Message 8 of 11 , Aug 25, 2005
                  • 0 Attachment
                    thanks a lot for the great information.

                    --- Manuel Lemos <mlemos@...> wrote:

                    > Hello,
                    >
                    > on 08/25/2005 06:54 PM operationsengineer1@...
                    > said the following:
                    > > how good a job does GetInputValue() do in
                    > preventing
                    > > SQL injection attacks?
                    >
                    > > is there anything else i should do to protect
                    > myself
                    > > beyond using GetInputValue() instead of $_POST?
                    >
                    > The forms class has nothing to do with SQL queries.
                    > However, you should
                    > not use any values from forms before they are
                    > validated.
                    >
                    > If you expect that certain values from form inputs
                    > be a of certain type,
                    > you should use the necessary validation rules to
                    > prevent that invalid
                    > values be accepted and used to exploit your
                    > applications.
                    >
                    > For instance, if you expect that a field contains an
                    > integer, just use
                    > ValidateAsInteger parameter, call Validate and then
                    > GetInputValue to use
                    > it in any queries.
                    >
                    > Also if you are passing contextual values in hidden
                    > fields, it does not
                    > make much sense to tell the user that the values are
                    > invalid because he
                    > will not be able to fix values in hidden fields.
                    >
                    >
                    > In that case you can simply tell the forms class to
                    > silently discard any
                    > invalid values using the DiscardInvalidValues
                    > parameter in conjunction
                    > with other Validation parameters.
                    >
                    > This may save you from exploits cause by forged
                    > values passed as hidden
                    > fields. The main example script test_form.php shows
                    > an example of usage.
                    >
                    > Anyway, most SQL injection exploits are cause by the
                    > use of values in
                    > SQL queries that are not properly escaped. Escaping
                    > values is not the
                    > purpose of the form class because it depends on your
                    > purpose.
                    >
                    > For SQL queries there is not a single solution as
                    > each database performs
                    > escaping in their own way. AddSlashes only works for
                    > text values with
                    > some databases.
                    >
                    > For a database independent solution, you may want to
                    > look at Metabase
                    > with a database abstraction package focused on total
                    > database
                    > application portability. It works with many
                    > databases and among many
                    > other portability features, it provide data type
                    > value mapping. This
                    > means that for text values it can escape such values
                    > correctly according
                    > to each database, but it also provides proper
                    > mapping of values of other
                    > database data types.
                    >
                    >
                    > --
                    >
                    > Regards,
                    > Manuel Lemos
                    >
                    > PHP Classes - Free ready to use OOP components
                    > written in PHP
                    > http://www.phpclasses.org/
                    >
                    > PHP Reviews - Reviews of PHP books and other
                    > products
                    > http://www.phpclasses.org/reviews/
                    >
                    > Metastorage - Data object relational mapping layer
                    > generator
                    > http://www.meta-language.net/metastorage.html
                    >


                    __________________________________________________
                    Do You Yahoo!?
                    Tired of spam? Yahoo! Mail has the best spam protection around
                    http://mail.yahoo.com
                  Your message has been successfully submitted and would be delivered to recipients shortly.