function not returning query

--00504502b6724ee5fe047912ef38
Content-Type: text/plain; charset=ISO-8859-1

Hi, thanks for reading, I hope you can help:

In my main file for an orders page I have the following code:


if (isset($_GET['filterby']))
{
$resultOrders = adminFilterQuery();
$numberOfOrders = mysql_num_rows($resultOrders);
}
else
{
$resultOrders = mysql_query("SELECT * FROM afy_order;") or
die(mysql_error("Could not query the database!"));
$numberOfOrders = mysql_num_rows($resultOrders);
}


adminFilterQuery() is a custom function that is supposed to return a
mysql_query, here are the last few lines of this function:


$query = "SELECT * FROM afy_order WHERE school_id = '{$school}' ORDER BY
{$order_by_param};";
$result = mysql_query($query);
return $result;

l am getting this error when I try to filter my query using a form in tandem
with the quey building function:

*Warning*: mysql_num_rows(): supplied argument is not a valid MySQL result
resource

where the line is the one where I use the mysql_num_rows function.

What am I missing here?

Thanks!

--00504502b6724ee5fe047912ef38--

Re: function not returning query

Likely your query failed due to an error.

Try adding an or die(mysql_error()) to the end of your mysql_query
statement to see what that error maybe

Bastien

Sent from my iPod

On Nov 23, 2009, at 7:22 PM, Allen McCabe wrote:

> Hi, thanks for reading, I hope you can help:
>
> In my main file for an orders page I have the following code:
>
>
> if (isset($_GET['filterby']))
> {
> $resultOrders = adminFilterQuery();
> $numberOfOrders = mysql_num_rows($resultOrders);
> }
> else
> {
> $resultOrders = mysql_query("SELECT * FROM afy_order;") or
> die(mysql_error("Could not query the database!"));
> $numberOfOrders = mysql_num_rows($resultOrders);
> }
>
>
> adminFilterQuery() is a custom function that is supposed to return a
> mysql_query, here are the last few lines of this function:
>
>
> $query = "SELECT * FROM afy_order WHERE school_id = '{$school}'
> ORDER BY
> {$order_by_param};";
> $result = mysql_query($query);
> return $result;
>
> l am getting this error when I try to filter my query using a form
> in tandem
> with the quey building function:
>
> *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL
> result
> resource
>
> where the line is the one where I use the mysql_num_rows function.
>
> What am I missing here?
>
> Thanks!

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: function not returning query

On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:

> Hi, thanks for reading, I hope you can help:
>=20
> In my main file for an orders page I have the following code:
>=20
>=20
> if (isset($_GET['filterby']))
> {
> $resultOrders =3D adminFilterQuery();
> $numberOfOrders =3D mysql_num_rows($resultOrders);
> }
> else
> {
> $resultOrders =3D mysql_query("SELECT * FROM afy_order;") or
> die(mysql_error("Could not query the database!"));
> $numberOfOrders =3D mysql_num_rows($resultOrders);
> }

You reduce this part by one line by putting the following after the else =
statement and removing the other 2:

$numberOfOrders =3D mysql_num_rows ($resultOrders);

Also, these queries don't need a semi-colon (;) to end the query. PHP =
handles this part. Remove them.


> adminFilterQuery() is a custom function that is supposed to return a
> mysql_query, here are the last few lines of this function:
>=20
>=20
> $query =3D "SELECT * FROM afy_order WHERE school_id =3D '{$school}' =
ORDER BY
> {$order_by_param};";
> $result =3D mysql_query($query);
> return $result;
>=20
> l am getting this error when I try to filter my query using a form in =
tandem
> with the quey building function:
>=20
> *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL =
result
> resource
>=20
> where the line is the one where I use the mysql_num_rows function.
>=20
> What am I missing here?
>=20
> Thanks!

Do you get this warning with both queries? Make sure that your queries =
are using a valid mysql connection. You may also consider using a =
database class to perform the repetitive tasks so that you really only =
have to be concerned with the queries you're writing...?

class database {
public function query ($sql) {
$result =3D mysql_query ($sql);
if ($result ===3D false) {
die ('Uh oh!');
}
return $result;
}
=20
public function numRows ($result) {
return mysql_num_rows ($result);
}
}
$db =3D new database();
$result =3D $db->query('SELECT * FROM afy_order');
$numRows =3D $db->numRows($result);
?>

Of course this is just a simple example, but you get the idea. Hope that =
stirs your brain!

~Philip=

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: function not returning query

--005045018098612ec10479179096
Content-Type: text/plain; charset=ISO-8859-1

Okay, suddenly I got it to filter the results, but I still can't figure out
where this part of the query is coming from, at the end of the query string
in the URL, I have this "filter.x=0&filter.y=0".

No where in my form do I have a field named filter.x or filter.y. I DO
however, have 3 forms (I don't want to mess with AJAX), my set up looks like
this:

Filter by:
User - [username dropdown v] Order by [database fields v] Asc/Desc
[Ascend v] - Go
School - [school dropdown v] Order by [database fields v] Asc/Desc
[Ascend v] - Go
Show - [show dropdown v] Order by [database fields v] Asc/Desc [Ascend v]
- Go

There are actually two order by fields, but this gives you the idea. Each of
the three lines is a separate form, each with a unique name all with a "get"
method, but all three Go buttons are named "filter", I didn't think to try
changing it until now, but is this perhaps where the filter.x and filter.y
are coming from? I have never seen this before in a query.

Oh, now the filter that was working spontaneously gives me the error I have
been getting all along, this is so frustrating.

To those who asked, yes I am connected to the database; I forgot to mention
that the else part of my if statement works, as long as I don't try to
filter my results it works.

Here is an example of the URL that my filter function (via one of the 3
forms) outputs:
http://lpacmarketing.hostzi.com/afy/orders/default.php?filte rby=school&schoolid=36&orderby1=order_id&asc_desc_order1=Des cend&orderby2=pmt_recd_date&asc_desc_order2=Descend&filter.x =13&filter.y=8&filter=Go

On Mon, Nov 23, 2009 at 8:03 PM, Philip Thompson wrote:

> On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:
>
> > Hi, thanks for reading, I hope you can help:
> >
> > In my main file for an orders page I have the following code:
> >
> >
> > if (isset($_GET['filterby']))
> > {
> > $resultOrders = adminFilterQuery();
> > $numberOfOrders = mysql_num_rows($resultOrders);
> > }
> > else
> > {
> > $resultOrders = mysql_query("SELECT * FROM afy_order;") or
> > die(mysql_error("Could not query the database!"));
> > $numberOfOrders = mysql_num_rows($resultOrders);
> > }
>
> You reduce this part by one line by putting the following after the else
> statement and removing the other 2:
>
> $numberOfOrders = mysql_num_rows ($resultOrders);
>
> Also, these queries don't need a semi-colon (;) to end the query. PHP
> handles this part. Remove them.
>
>
> > adminFilterQuery() is a custom function that is supposed to return a
> > mysql_query, here are the last few lines of this function:
> >
> >
> > $query = "SELECT * FROM afy_order WHERE school_id = '{$school}' ORDER BY
> > {$order_by_param};";
> > $result = mysql_query($query);
> > return $result;
> >
> > l am getting this error when I try to filter my query using a form in
> tandem
> > with the quey building function:
> >
> > *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL
> result
> > resource
> >
> > where the line is the one where I use the mysql_num_rows function.
> >
> > What am I missing here?
> >
> > Thanks!
>
> Do you get this warning with both queries? Make sure that your queries are
> using a valid mysql connection. You may also consider using a database class
> to perform the repetitive tasks so that you really only have to be concerned
> with the queries you're writing...?
>
> > class database {
> public function query ($sql) {
> $result = mysql_query ($sql);
> if ($result === false) {
> die ('Uh oh!');
> }
> return $result;
> }
>
> public function numRows ($result) {
> return mysql_num_rows ($result);
> }
> }
> $db = new database();
> $result = $db->query('SELECT * FROM afy_order');
> $numRows = $db->numRows($result);
> ?>
>
> Of course this is just a simple example, but you get the idea. Hope that
> stirs your brain!
>
> ~Philip

--005045018098612ec10479179096--

Re: function not returning query

--=-iH1JV5iXPXyrIM2Mzish
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Mon, 2009-11-23 at 21:53 -0800, Allen McCabe wrote:

> Okay, suddenly I got it to filter the results, but I still can't figure out
> where this part of the query is coming from, at the end of the query string
> in the URL, I have this "filter.x=0&filter.y=0".
>
> No where in my form do I have a field named filter.x or filter.y. I DO
> however, have 3 forms (I don't want to mess with AJAX), my set up looks like
> this:
>
> Filter by:
> User - [username dropdown v] Order by [database fields v] Asc/Desc
> [Ascend v] - Go
> School - [school dropdown v] Order by [database fields v] Asc/Desc
> [Ascend v] - Go
> Show - [show dropdown v] Order by [database fields v] Asc/Desc [Ascend v]
> - Go
>
> There are actually two order by fields, but this gives you the idea. Each of
> the three lines is a separate form, each with a unique name all with a "get"
> method, but all three Go buttons are named "filter", I didn't think to try
> changing it until now, but is this perhaps where the filter.x and filter.y
> are coming from? I have never seen this before in a query.
>
> Oh, now the filter that was working spontaneously gives me the error I have
> been getting all along, this is so frustrating.
>
> To those who asked, yes I am connected to the database; I forgot to mention
> that the else part of my if statement works, as long as I don't try to
> filter my results it works.
>
> Here is an example of the URL that my filter function (via one of the 3
> forms) outputs:
> http://lpacmarketing.hostzi.com/afy/orders/default.php?filte rby=school&schoolid=36&orderby1=order_id&asc_desc_order1=Des cend&orderby2=pmt_recd_date&asc_desc_order2=Descend&filter.x =13&filter.y=8&filter=Go
>
> On Mon, Nov 23, 2009 at 8:03 PM, Philip Thompson wrote:
>
> > On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:
> >
> > > Hi, thanks for reading, I hope you can help:
> > >
> > > In my main file for an orders page I have the following code:
> > >
> > >
> > > if (isset($_GET['filterby']))
> > > {
> > > $resultOrders = adminFilterQuery();
> > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > }
> > > else
> > > {
> > > $resultOrders = mysql_query("SELECT * FROM afy_order;") or
> > > die(mysql_error("Could not query the database!"));
> > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > }
> >
> > You reduce this part by one line by putting the following after the else
> > statement and removing the other 2:
> >
> > $numberOfOrders = mysql_num_rows ($resultOrders);
> >
> > Also, these queries don't need a semi-colon (;) to end the query. PHP
> > handles this part. Remove them.
> >
> >
> > > adminFilterQuery() is a custom function that is supposed to return a
> > > mysql_query, here are the last few lines of this function:
> > >
> > >
> > > $query = "SELECT * FROM afy_order WHERE school_id = '{$school}' ORDER BY
> > > {$order_by_param};";
> > > $result = mysql_query($query);
> > > return $result;
> > >
> > > l am getting this error when I try to filter my query using a form in
> > tandem
> > > with the quey building function:
> > >
> > > *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL
> > result
> > > resource
> > >
> > > where the line is the one where I use the mysql_num_rows function.
> > >
> > > What am I missing here?
> > >
> > > Thanks!
> >
> > Do you get this warning with both queries? Make sure that your queries are
> > using a valid mysql connection. You may also consider using a database class
> > to perform the repetitive tasks so that you really only have to be concerned
> > with the queries you're writing...?
> >
> > > > class database {
> > public function query ($sql) {
> > $result = mysql_query ($sql);
> > if ($result === false) {
> > die ('Uh oh!');
> > }
> > return $result;
> > }
> >
> > public function numRows ($result) {
> > return mysql_num_rows ($result);
> > }
> > }
> > $db = new database();
> > $result = $db->query('SELECT * FROM afy_order');
> > $numRows = $db->numRows($result);
> > ?>
> >
> > Of course this is just a simple example, but you get the idea. Hope that
> > stirs your brain!
> >
> > ~Philip


My guess would be that you're submitting the form using an image button,
which would send the x and y coordinates of the click within the button.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-iH1JV5iXPXyrIM2Mzish--

Re: function not returning query

--=-+vFL2YBRmYkPEGUXvkAm
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Tue, 2009-11-24 at 02:11 -0800, Allen McCabe wrote:

> I am! Will these extra query variables cause any problems or should I
> use standard submit inputs?
>
> Thanks Ashley!
>
>
> On Tue, Nov 24, 2009 at 1:10 AM, Ashley Sheridan
> wrote:
>
>
> On Mon, 2009-11-23 at 21:53 -0800, Allen McCabe wrote:
>
> > Okay, suddenly I got it to filter the results, but I still can't figure out
> > where this part of the query is coming from, at the end of the query string
> > in the URL, I have this "filter.x=0&filter.y=0".
> >
> > No where in my form do I have a field named filter.x or filter.y. I DO
> > however, have 3 forms (I don't want to mess with AJAX), my set up looks like
> > this:
> >
> > Filter by:
> > User - [username dropdown v] Order by [database fields v] Asc/Desc
> > [Ascend v] - Go
> > School - [school dropdown v] Order by [database fields v] Asc/Desc
> > [Ascend v] - Go
> > Show - [show dropdown v] Order by [database fields v] Asc/Desc [Ascend v]
> > - Go
> >
> > There are actually two order by fields, but this gives you the idea. Each of
> > the three lines is a separate form, each with a unique name all with a "get"
> > method, but all three Go buttons are named "filter", I didn't think to try
> > changing it until now, but is this perhaps where the filter.x and filter.y
> > are coming from? I have never seen this before in a query.
> >
> > Oh, now the filter that was working spontaneously gives me the error I have
> > been getting all along, this is so frustrating.
> >
> > To those who asked, yes I am connected to the database; I forgot to mention
> > that the else part of my if statement works, as long as I don't try to
> > filter my results it works.
> >
> > Here is an example of the URL that my filter function (via one of the 3
> > forms) outputs:
> > http://lpacmarketing.hostzi.com/afy/orders/default.php?filte rby=school&schoolid=36&orderby1=order_id&asc_desc_order1=Des cend&orderby2=pmt_recd_date&asc_desc_order2=Descend&filter.x =13&filter.y=8&filter=Go
> >
> > On Mon, Nov 23, 2009 at 8:03 PM, Philip Thompson wrote:
> >
> > > On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:
> > >
> > > > Hi, thanks for reading, I hope you can help:
> > > >
> > > > In my main file for an orders page I have the following code:
> > > >
> > > >
> > > > if (isset($_GET['filterby']))
> > > > {
> > > > $resultOrders = adminFilterQuery();
> > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > }
> > > > else
> > > > {
> > > > $resultOrders = mysql_query("SELECT * FROM afy_order;") or
> > > > die(mysql_error("Could not query the database!"));
> > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > }
> > >
> > > You reduce this part by one line by putting the following after the else
> > > statement and removing the other 2:
> > >
> > > $numberOfOrders = mysql_num_rows ($resultOrders);
> > >
> > > Also, these queries don't need a semi-colon (;) to end the query. PHP
> > > handles this part. Remove them.
> > >
> > >
> > > > adminFilterQuery() is a custom function that is supposed to return a
> > > > mysql_query, here are the last few lines of this function:
> > > >
> > > >
> > > > $query = "SELECT * FROM afy_order WHERE school_id = '{$school}' ORDER BY
> > > > {$order_by_param};";
> > > > $result = mysql_query($query);
> > > > return $result;
> > > >
> > > > l am getting this error when I try to filter my query using a form in
> > > tandem
> > > > with the quey building function:
> > > >
> > > > *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL
> > > result
> > > > resource
> > > >
> > > > where the line is the one where I use the mysql_num_rows function.
> > > >
> > > > What am I missing here?
> > > >
> > > > Thanks!
> > >
> > > Do you get this warning with both queries? Make sure that your queries are
> > > using a valid mysql connection. You may also consider using a database class
> > > to perform the repetitive tasks so that you really only have to be concerned
> > > with the queries you're writing...?
> > >
> > > > > > class database {
> > > public function query ($sql) {
> > > $result = mysql_query ($sql);
> > > if ($result === false) {
> > > die ('Uh oh!');
> > > }
> > > return $result;
> > > }
> > >
> > > public function numRows ($result) {
> > > return mysql_num_rows ($result);
> > > }
> > > }
> > > $db = new database();
> > > $result = $db->query('SELECT * FROM afy_order');
> > > $numRows = $db->numRows($result);
> > > ?>
> > >
> > > Of course this is just a simple example, but you get the idea. Hope that
> > > stirs your brain!
> > >
> > > ~Philip
>
>
>
>
> My guess would be that you're submitting the form using an
> image button, which would send the x and y coordinates of the
> click within the button.
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
>


The only time they'll cause a problem is if you use some sort of loop to
translate all the form inputs into something that is used in your code.
For example, if you looped through all the form inputs to create your
filter, regardless of what the inputs were called, then you would be
running into all sorts of problems.

This is not something you should try and 'fix' on the client-side but
the server side, as everything that comes from the client is not to be
trusted, ever!

Saying that though, I have seen some systems (HSBC payment system)
reject inputs containing x and y coordinates from image buttons and
cause the whole form to fail. In your case that won't happen, but it's
something to keep in mind in the future maybe?

If you want to change the button, you could use a regular submit button
and style it up with css:

#submit_button_id
{
border: 0px none;
background-image: url('button.png');
background-repeat: no-repeat;
width: 100px;
height: 25px;
}

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-+vFL2YBRmYkPEGUXvkAm--

Re: function not returning query

--=-YTR/geQLOUsi+inQwPiq
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

On Tue, 2009-11-24 at 23:27 -0800, Allen McCabe wrote:

> If I were to loop through my inputs, I could just exclude any
> problematic names, eg.:
>
> foreach ($_POST as $var = $val)
> {
> if ($var != filter.x || $var != filter.y)
> {
> $var = $val;
> }
> }
>
> Like that?
>
>
> On Tue, Nov 24, 2009 at 2:34 AM, Ashley Sheridan
> wrote:
>
>
> On Tue, 2009-11-24 at 02:11 -0800, Allen McCabe wrote:
>
> > I am! Will these extra query variables cause any problems or
> > should I use standard submit inputs?
> >
> > Thanks Ashley!
> >
> > On Tue, Nov 24, 2009 at 1:10 AM, Ashley Sheridan
> > wrote:
> >
> >
> > On Mon, 2009-11-23 at 21:53 -0800, Allen McCabe
> > wrote:
> >
> > > Okay, suddenly I got it to filter the results, but I still can't figure out
> > > where this part of the query is coming from, at the end of the query string
> > > in the URL, I have this "filter.x=0&filter.y=0".
> > >
> > > No where in my form do I have a field named filter.x or filter.y. I DO
> > > however, have 3 forms (I don't want to mess with AJAX), my set up looks like
> > > this:
> > >
> > > Filter by:
> > > User - [username dropdown v] Order by [database fields v] Asc/Desc
> > > [Ascend v] - Go
> > > School - [school dropdown v] Order by [database fields v] Asc/Desc
> > > [Ascend v] - Go
> > > Show - [show dropdown v] Order by [database fields v] Asc/Desc [Ascend v]
> > > - Go
> > >
> > > There are actually two order by fields, but this gives you the idea. Each of
> > > the three lines is a separate form, each with a unique name all with a "get"
> > > method, but all three Go buttons are named "filter", I didn't think to try
> > > changing it until now, but is this perhaps where the filter.x and filter.y
> > > are coming from? I have never seen this before in a query.
> > >
> > > Oh, now the filter that was working spontaneously gives me the error I have
> > > been getting all along, this is so frustrating.
> > >
> > > To those who asked, yes I am connected to the database; I forgot to mention
> > > that the else part of my if statement works, as long as I don't try to
> > > filter my results it works.
> > >
> > > Here is an example of the URL that my filter function (via one of the 3
> > > forms) outputs:
> > > http://lpacmarketing.hostzi.com/afy/orders/default.php?filte rby=school&schoolid=36&orderby1=order_id&asc_desc_order1=Des cend&orderby2=pmt_recd_date&asc_desc_order2=Descend&filter.x =13&filter.y=8&filter=Go
> > >
> > > On Mon, Nov 23, 2009 at 8:03 PM, Philip Thompson wrote:
> > >
> > > > On Nov 23, 2009, at 6:22 PM, Allen McCabe wrote:
> > > >
> > > > > Hi, thanks for reading, I hope you can help:
> > > > >
> > > > > In my main file for an orders page I have the following code:
> > > > >
> > > > >
> > > > > if (isset($_GET['filterby']))
> > > > > {
> > > > > $resultOrders = adminFilterQuery();
> > > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > > }
> > > > > else
> > > > > {
> > > > > $resultOrders = mysql_query("SELECT * FROM afy_order;") or
> > > > > die(mysql_error("Could not query the database!"));
> > > > > $numberOfOrders = mysql_num_rows($resultOrders);
> > > > > }
> > > >
> > > > You reduce this part by one line by putting the following after the else
> > > > statement and removing the other 2:
> > > >
> > > > $numberOfOrders = mysql_num_rows ($resultOrders);
> > > >
> > > > Also, these queries don't need a semi-colon (;) to end the query. PHP
> > > > handles this part. Remove them.
> > > >
> > > >
> > > > > adminFilterQuery() is a custom function that is supposed to return a
> > > > > mysql_query, here are the last few lines of this function:
> > > > >
> > > > >
> > > > > $query = "SELECT * FROM afy_order WHERE school_id = '{$school}' ORDER BY
> > > > > {$order_by_param};";
> > > > > $result = mysql_query($query);
> > > > > return $result;
> > > > >
> > > > > l am getting this error when I try to filter my query using a form in
> > > > tandem
> > > > > with the quey building function:
> > > > >
> > > > > *Warning*: mysql_num_rows(): supplied argument is not a valid MySQL
> > > > result
> > > > > resource
> > > > >
> > > > > where the line is the one where I use the mysql_num_rows function.
> > > > >
> > > > > What am I missing here?
> > > > >
> > > > > Thanks!
> > > >
> > > > Do you get this warning with both queries? Make sure that your queries are
> > > > using a valid mysql connection. You may also consider using a database class
> > > > to perform the repetitive tasks so that you really only have to be concerned
> > > > with the queries you're writing...?
> > > >
> > > > > > > > class database {
> > > > public function query ($sql) {
> > > > $result = mysql_query ($sql);
> > > > if ($result === false) {
> > > > die ('Uh oh!');
> > > > }
> > > > return $result;
> > > > }
> > > >
> > > > public function numRows ($result) {
> > > > return mysql_num_rows ($result);
> > > > }
> > > > }
> > > > $db = new database();
> > > > $result = $db->query('SELECT * FROM afy_order');
> > > > $numRows = $db->numRows($result);
> > > > ?>
> > > >
> > > > Of course this is just a simple example, but you get the idea. Hope that
> > > > stirs your brain!
> > > >
> > > > ~Philip
> >
> >
> >
> > My guess would be that you're submitting the form
> > using an image button, which would send the x and y
> > coordinates of the click within the button.
> >
> > Thanks,
> > Ash
> > http://www.ashleysheridan.co.uk
> >
> >
> >
> >
> >
> >
>
>
>
>
> The only time they'll cause a problem is if you use some sort
> of loop to translate all the form inputs into something that
> is used in your code. For example, if you looped through all
> the form inputs to create your filter, regardless of what the
> inputs were called, then you would be running into all sorts
> of problems.
>
> This is not something you should try and 'fix' on the
> client-side but the server side, as everything that comes from
> the client is not to be trusted, ever!
>
> Saying that though, I have seen some systems (HSBC payment
> system) reject inputs containing x and y coordinates from
> image buttons and cause the whole form to fail. In your case
> that won't happen, but it's something to keep in mind in the
> future maybe?
>
> If you want to change the button, you could use a regular
> submit button and style it up with css:
>
> #submit_button_id
> {
> border: 0px none;
> background-image: url('button.png');
> background-repeat: no-repeat;
> width: 100px;
> height: 25px;
>
>
> }
>
> Thanks,
> Ash
> http://www.ashleysheridan.co.uk
>
>
>
>
>


Not really, what if someone else decided they wanted to throw in their
own form field values in the hope of breaking your system? It's much
better to be specifically looking for certain form fields and certain
field values/ranges. For example, if you had some fields that would
filter something by cost, you might have two form fields named 'max' and
'min' which would be ranges for the cost. You should check that these
fields only contain numbers for example before processing them. Any data
coming from the client-side is untrustworthy and should be regarded as
tainted until you can prove otherwise.

Thanks,
Ash
http://www.ashleysheridan.co.uk



--=-YTR/geQLOUsi+inQwPiq--

Re: function not returning query

On Nov 25, 2009, at 4:32 AM, Ashley Sheridan wrote:

> On Tue, 2009-11-24 at 23:27 -0800, Allen McCabe wrote:
>=20
>> If I were to loop through my inputs, I could just exclude any
>> problematic names, eg.:
>>=20
>> foreach ($_POST as $var =3D $val)
>> {
>> if ($var !=3D filter.x || $var !=3D filter.y)
>> {
>> $var =3D $val;
>> }
>> }
>>=20
>> Like that?



> Not really, what if someone else decided they wanted to throw in their
> own form field values in the hope of breaking your system? It's much
> better to be specifically looking for certain form fields and certain
> field values/ranges. For example, if you had some fields that would
> filter something by cost, you might have two form fields named 'max' =
and
> 'min' which would be ranges for the cost. You should check that these
> fields only contain numbers for example before processing them. Any =
data
> coming from the client-side is untrustworthy and should be regarded as
> tainted until you can prove otherwise.
>=20
> Thanks,
> Ash

The system Ash is referring to is a whitebox approach. You know what you =
should get in, so only accept those values. A simple thing to accomplish =
what you're trying to do, Allen, would be to create an array of =
required/accepted fields...

$acceptable =3D array('green', 'blue', 'red');
foreach ($_POST as $var =3D> $val) {
if (in_array ($var, $acceptable)) {
// Do whatever here
} else {
// Not acceptable - throw error message or do nothing
}
}
?>

Hope that helps.
~Philip=

--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php