PHP form field oddness!

Got a weird problem and wondered if the people here had ever seen
similar.

I have an internal website that is PHP based. One of the form submit
has tons of fields, so to simplify the updating/inserting of records
(and long term management of the page) I go through the request (HTTP
POST/GET) variables and create an sql statement based on the data.
This means if I add a new database field I can just add the form field
on the page and I do not have to alter the database code.

However now and again a random form field will turn up that is not on
the original page. The latest is "sageamp". I have had "s_vnum" and
"SITESERVER". They look to be related to cookies - eg sageamp seems
to be related to web analysis. These form fields are unrelated to the
actual PHP code that generates the HTML form - the form fields just
appear on the page.

If the problem occurs I clear the cache (including cookies) and the
problem goes away for a while. This only occurs in Firefox, however
if I replicated the browsing that firefox has been up to in IE it may
also happen.

The code for doing the DB update, if you are interested (nothing to
do with the problem I am sure) is:

(note - you can see where I have put exceptions in for the phantom
form fields to allow the code to work - I have since found out that
clearing the cache stops the fields from appearing).




while(list($key,$val) = each ($_REQUEST))
{


if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
"PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
{
$sql .= " `$key` = '".addslashes($val)."', ";
}

}


Any help appreciated!

Re: PHP form field oddness!

On Feb 1, 8:42 am, ST wrote:
> Got a weird problem and wondered if the people here had ever seen
> similar.
>
> I have an internal website that is PHP based. One of the form submit
> has tons of fields, so to simplify the updating/inserting of records
> (and long term management of the page) I go through the request (HTTP
> POST/GET) variables and create an sql statement based on the data.
> This means if I add a new database field I can just add the form field
> on the page and I do not have to alter the database code.
>
> However now and again a random form field will turn up that is not on
> the original page. The latest is "sageamp". I have had "s_vnum" and
> "SITESERVER". They look to be related to cookies - eg sageamp seems
> to be related to web analysis. These form fields are unrelated to the
> actual PHP code that generates the HTML form - the form fields just
> appear on the page.
>
> If the problem occurs I clear the cache (including cookies) and the
> problem goes away for a while. This only occurs in Firefox, however
> if I replicated the browsing that firefox has been up to in IE it may
> also happen.
>
> The code for doing the DB update, if you are interested (nothing to
> do with the problem I am sure) is:
>
> (note - you can see where I have put exceptions in for the phantom
> form fields to allow the code to work - I have since found out that
> clearing the cache stops the fields from appearing).
>
> while(list($key,$val) = each ($_REQUEST))
> {
>
> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> {
> $sql .= " `$key` = '".addslashes($val)."', ";
> }
>
> }
>
> Any help appreciated!

Don't use $_REQUEST, use $_POST (or $_GET).
An even more secure approach is to use array notation in this form:

Then You will get an easy to read $_POST-Array with:
$_POST['form']
and Your iteration will be much easier:
while(list($key,$val) = each ($_POST['form'])) ...
without any exceptions

Code like
$key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"

always indicates a wrong approach!

Greetings
Andy

Re: PHP form field oddness!

On 1 Feb, 09:25, a_f_kono wrote:
> On Feb 1, 8:42 am, ST wrote:
>
>
>
> > Got a weird problem and wondered if the people here had ever seen
> > similar.
>
> > I have an internal website that is PHP based. One of the form submit
> > has tons of fields, so to simplify the updating/inserting of records
> > (and long term management of the page) I go through the request (HTTP
> > POST/GET) variables and create an sql statement based on the data.
> > This means if I add a new database field I can just add the form field
> > on the page and I do not have to alter the database code.
>
> > However now and again a random form field will turn up that is not on
> > the original page. The latest is "sageamp". I have had "s_vnum" and
> > "SITESERVER". They look to be related to cookies - eg sageamp seems
> > to be related to web analysis. These form fields are unrelated to the
> > actual PHP code that generates the HTML form - the form fields just
> > appear on the page.
>
> > If the problem occurs I clear the cache (including cookies) and the
> > problem goes away for a while. This only occurs in Firefox, however
> > if I replicated the browsing that firefox has been up to in IE it may
> > also happen.
>
> > The code for doing the DB update, if you are interested (nothing to
> > do with the problem I am sure) is:
>
> > (note - you can see where I have put exceptions in for the phantom
> > form fields to allow the code to work - I have since found out that
> > clearing the cache stops the fields from appearing).
>
> > while(list($key,$val) = each ($_REQUEST))
> > {
>
> > if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> > "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> > {
> > $sql .= " `$key` = '".addslashes($val)."', ";
> > }
>
> > }
>
> > Any help appreciated!
>
> Don't use $_REQUEST, use $_POST (or $_GET).
> An even more secure approach is to use array notation in this form:
>
> Then You will get an easy to read $_POST-Array with:
> $_POST['form']
> and Your iteration will be much easier:
> while(list($key,$val) = each ($_POST['form'])) ...
> without any exceptions
>
> Code like
> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>
> > "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>
> always indicates a wrong approach!
>
> Greetings
> Andy

You could do an array_merge on $_POST and $_GET or an array_diff withe
$_REQUEST and $_COOKIE, and $_ENV.

Or you could do a DESC $tablename and just add the $_REQUEST keys
which match.

C.

Re: PHP form field oddness!

C. (http://symcbean.blogspot.com/) wrote:
> On 1 Feb, 09:25, a_f_kono wrote:
>> On Feb 1, 8:42 am, ST wrote:
>>
>>
>>
>>> Got a weird problem and wondered if the people here had ever seen
>>> similar.
>>> I have an internal website that is PHP based. One of the form submit
>>> has tons of fields, so to simplify the updating/inserting of records
>>> (and long term management of the page) I go through the request (HTTP
>>> POST/GET) variables and create an sql statement based on the data.
>>> This means if I add a new database field I can just add the form field
>>> on the page and I do not have to alter the database code.
>>> However now and again a random form field will turn up that is not on
>>> the original page. The latest is "sageamp". I have had "s_vnum" and
>>> "SITESERVER". They look to be related to cookies - eg sageamp seems
>>> to be related to web analysis. These form fields are unrelated to the
>>> actual PHP code that generates the HTML form - the form fields just
>>> appear on the page.
>>> If the problem occurs I clear the cache (including cookies) and the
>>> problem goes away for a while. This only occurs in Firefox, however
>>> if I replicated the browsing that firefox has been up to in IE it may
>>> also happen.
>>> The code for doing the DB update, if you are interested (nothing to
>>> do with the problem I am sure) is:
>>> (note - you can see where I have put exceptions in for the phantom
>>> form fields to allow the code to work - I have since found out that
>>> clearing the cache stops the fields from appearing).
>>> while(list($key,$val) = each ($_REQUEST))
>>> {
>>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
>>> {
>>> $sql .= " `$key` = '".addslashes($val)."', ";
>>> }
>>> }
>>> Any help appreciated!
>> Don't use $_REQUEST, use $_POST (or $_GET).
>> An even more secure approach is to use array notation in this form:
>>
>> Then You will get an easy to read $_POST-Array with:
>> $_POST['form']
>> and Your iteration will be much easier:
>> while(list($key,$val) = each ($_POST['form'])) ...
>> without any exceptions
>>
>> Code like
>> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>
>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>> always indicates a wrong approach!
>>
>> Greetings
>> Andy
>
> You could do an array_merge on $_POST and $_GET or an array_diff withe
> $_REQUEST and $_COOKIE, and $_ENV.
>

Why, for gawd's sake?

> Or you could do a DESC $tablename and just add the $_REQUEST keys
> which match.
>
> C.
>

Even worse!

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

Re: PHP form field oddness!

On Feb 1, 12:42 pm, Jerry Stuckle wrote:
> C. (http://symcbean.blogspot.com/) wrote:
> > On 1 Feb, 09:25, a_f_kono wrote:
> >> On Feb 1, 8:42 am, ST wrote:
>
> >>> Got a weird problem and wondered if the people here had ever seen
> >>> similar.
> >>> I have an internal website that is PHP based. One of the form submit
> >>> has tons of fields, so to simplify the updating/inserting of records
> >>> (and long term management of the page) I go through the request (HTTP
> >>> POST/GET) variables and create an sql statement based on the data.
> >>> This means if I add a new database field I can just add the form field
> >>> on the page and I do not have to alter the database code.
> >>> However now and again a random form field will turn up that is not on
> >>> the original page. The latest is "sageamp". I have had "s_vnum" and
> >>> "SITESERVER". They look to be related to cookies - eg sageamp seems
> >>> to be related to web analysis. These form fields are unrelated to the
> >>> actual PHP code that generates the HTML form - the form fields just
> >>> appear on the page.
> >>> If the problem occurs I clear the cache (including cookies) and the
> >>> problem goes away for a while. This only occurs in Firefox, however
> >>> if I replicated the browsing that firefox has been up to in IE it may
> >>> also happen.
> >>> The code for doing the DB update, if you are interested (nothing to
> >>> do with the problem I am sure) is:
> >>> (note - you can see where I have put exceptions in for the phantom
> >>> form fields to allow the code to work - I have since found out that
> >>> clearing the cache stops the fields from appearing).
> >>> while(list($key,$val) = each ($_REQUEST))
> >>> {
> >>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
> >>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
> >>> {
> >>> $sql .= " `$key` = '".addslashes($val)."', ";
> >>> }
> >>> }
> >>> Any help appreciated!
> >> Don't use $_REQUEST, use $_POST (or $_GET).
> >> An even more secure approach is to use array notation in this form:
> >>
> >> Then You will get an easy to read $_POST-Array with:
> >> $_POST['form']
> >> and Your iteration will be much easier:
> >> while(list($key,$val) = each ($_POST['form'])) ...
> >> without any exceptions
>
> >> Code like
> >> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>
> >>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
> >> always indicates a wrong approach!
>
> >> Greetings
> >> Andy
>
> > You could do an array_merge on $_POST and $_GET or an array_diff withe
> > $_REQUEST and $_COOKIE, and $_ENV.
>
> Why, for gawd's sake?
>
> > Or you could do a DESC $tablename and just add the $_REQUEST keys
> > which match.
>
> > C.
>
> Even worse!
>

I can live with the problem I think but I'd like to know where the
form fields are coming from! The code is not the best - I accept that
however it is internal use only (only used by max 3 people) and only
falls over once a month or so. The <> && exclusions are my work
however so Ill put my hand up!

Re: PHP form field oddness!

ST wrote:
> On Feb 1, 12:42 pm, Jerry Stuckle wrote:
>> C. (http://symcbean.blogspot.com/) wrote:
>>> On 1 Feb, 09:25, a_f_kono wrote:
>>>> On Feb 1, 8:42 am, ST wrote:
>>>>> Got a weird problem and wondered if the people here had ever seen
>>>>> similar.
>>>>> I have an internal website that is PHP based. One of the form submit
>>>>> has tons of fields, so to simplify the updating/inserting of records
>>>>> (and long term management of the page) I go through the request (HTTP
>>>>> POST/GET) variables and create an sql statement based on the data.
>>>>> This means if I add a new database field I can just add the form field
>>>>> on the page and I do not have to alter the database code.
>>>>> However now and again a random form field will turn up that is not on
>>>>> the original page. The latest is "sageamp". I have had "s_vnum" and
>>>>> "SITESERVER". They look to be related to cookies - eg sageamp seems
>>>>> to be related to web analysis. These form fields are unrelated to the
>>>>> actual PHP code that generates the HTML form - the form fields just
>>>>> appear on the page.
>>>>> If the problem occurs I clear the cache (including cookies) and the
>>>>> problem goes away for a while. This only occurs in Firefox, however
>>>>> if I replicated the browsing that firefox has been up to in IE it may
>>>>> also happen.
>>>>> The code for doing the DB update, if you are interested (nothing to
>>>>> do with the problem I am sure) is:
>>>>> (note - you can see where I have put exceptions in for the phantom
>>>>> form fields to allow the code to work - I have since found out that
>>>>> clearing the cache stops the fields from appearing).
>>>>> while(list($key,$val) = each ($_REQUEST))
>>>>> {
>>>>> if ($key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum")
>>>>> {
>>>>> $sql .= " `$key` = '".addslashes($val)."', ";
>>>>> }
>>>>> }
>>>>> Any help appreciated!
>>>> Don't use $_REQUEST, use $_POST (or $_GET).
>>>> An even more secure approach is to use array notation in this form:
>>>>
>>>> Then You will get an easy to read $_POST-Array with:
>>>> $_POST['form']
>>>> and Your iteration will be much easier:
>>>> while(list($key,$val) = each ($_POST['form'])) ...
>>>> without any exceptions
>>>> Code like
>>>> $key<> "B1" && $key <> "SITESERVER" && $key <> "mkt1" && $key <>
>>>>> "PHPSESSID" && $key <> "Submit" && $key <> "edit" && $key <> "s_vnum"
>>>> always indicates a wrong approach!
>>>> Greetings
>>>> Andy
>>> You could do an array_merge on $_POST and $_GET or an array_diff withe
>>> $_REQUEST and $_COOKIE, and $_ENV.
>> Why, for gawd's sake?
>>
>>> Or you could do a DESC $tablename and just add the $_REQUEST keys
>>> which match.
>>> C.
>> Even worse!
>>
>
> I can live with the problem I think but I'd like to know where the
> form fields are coming from! The code is not the best - I accept that
> however it is internal use only (only used by max 3 people) and only
> falls over once a month or so. The <> && exclusions are my work
> however so Ill put my hand up!
>

Then use $_POST, not $_REQUEST. $_REQUEST could be coming from $_POST,
$_GET or $_COOKIE. And if it's the last one, it could have been set by
any page on your server.

$_REQUEST is not a good one to use.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================