views:

88

answers:

2

Hello, I am currently writing a script whereby an array of checkboxes are displayed using:

<?
  while($i = mysqli_fetch_array($get_perms)){

  $pname = $i[pname];
  $id = $i[id];
?>
  <div>
    <input type="checkbox" tabindex="1" name="<? echo("$id");?>" value="1" <? if($permissionid[$id] == '1') {echo ' checked="checked" ';}?> /><?echo(" $pname");?>
  </div>
<? } ?>

However, I also have another part doing a similar thing, but for Sget_perms is a different sql to gain different data.

Now, obviously, when it comes to posting back the data to the form/script, there's going to be a problem between distinguishing the two databits in the form.

This is the SQL to update the data given from form:

$insert = mysql_query("UPDATE `perms` SET
    `title`='$_POST[title]',
    `1` ='$_POST[1]',
    `2` ='$_POST[2]',
    `3` ='$_POST[3]',
    `4` ='$_POST[4]',
    `5` ='$_POST[5]',
    `user` ='$_POST[username]'
     WHERE `userid` = '$valued_user_show[id]'
")

So how on earth do I correctly distinguish between the two, and there be able to correctly enter the SQL?

The schema of the table is basically:

7 columns, userid, user, 1, 2, 3, 4 ,6 userid is the userid of the user who has been posted to script before form. user is the name. The numbers are the permission numbers.

$get_perm is the sql to load the current information about the user from the table in an array.

+1  A: 

First: never include user-submitted data in a SQL statement without escaping it! A malicious user could exploit that to clobber your data, retrieve data without authorization, and cause all manner of harm. Always use mysql_real_escape_string() to escape submitted values going into a query.

On to your actual question: to distinguish your two similar sets of fields, just give them different names. Perhaps the first would be called permsA and the second permsB. You'd then get HTML like this:

<input type="checkbox" tabindex="1" name="permsA_<? echo $id;?>" value="1" <? if($permissionid[$id] == '1') {echo ' checked="checked" ';}?> /><?echo htmlspecialchars($pname);?>

Note that I also included a call to htmlspecialchars() to properly escape the $pname value for use in HTML, and I omitted the unnecessary quotes around "$id" (putting a variable in quotes like that just makes PHP do additional processing to parse the string; you can just echo the variable itself without quotes).

Then in your SQl statement:

$insert = mysql_query("UPDATE `perms` SET
    `title`='" . mysql_real_escape_string($_POST[title]) . "',
    `1` ='" . mysql_real_escape_string($_POST['permsA_1'] . "',
    `2` ='" . mysql_real_escape_string($_POST['permsA_2'] . "',
    `3` ='" . mysql_real_escape_string($_POST['permsA_3'] . "',
    `4` ='" . mysql_real_escape_string($_POST['permsA_4'] . "',
    `5` ='" . mysql_real_escape_string($_POST['permsA_5'] . "',
    `user` ='" . mysql_real_escape_string($_POST['username']) . "'
     WHERE `userid` = '$valued_user_show[id]'
")

Here the only change is to add the permsA_ prefix, and to properly escape all user-submitted values.

VoteyDisciple
woops sorry, all of the other live scripts have the escape strings prior to data, I usualy don't include escaping until primary script development has finished :)
Shamil
also, we're using mysqli :)
Shamil
Interestingly... the form's submitting to Array/useredit.php (the script is called useredit.php... and it's not in an "Array" folder.
Shamil
+1  A: 

Create an array with your checkboxes:

<input type="checkbox" name="mycheckbox[]"/>

And "mycheckbox" will be available as an array in your _POST data.

Typeoneerror
how would I then forumulate the $_POST?
Shamil