tags:

views:

152

answers:

2
+1  Q: 

PHP - Dealing with GET and POST arrays

In my webapp I have a page called display.php. The script in this page behaves in different ways depending on POST and GET array content/existence, let's say: If I call this page and GET array isset, the script'll load a record using $_GET['id'], in another case, if no GET isset but isset a ceratin POST key the script'll load a random record from the DB... and so on.

At the top of my page I've added this simple(trivial) code:

//random loading
if(!isset($_GET['id']) && !isset($_POST["MM_update"])){

 ##
 $fresh_call=true;
 $saving_call=false;
 $pick_a_call=false;
 ##

 $_SESSION['call_id']=time().$_GET['operatore'];

 $call_id=$_SESSION['call_id'];

//I need to load a specified record 

}else if (isset($_GET['id']) && !isset($_POST["MM_update"])) { 

  ##
 $pick_a_call=true;
 $saving_call=false;
 $fresh_call=false;
 ##

 $_SESSION['call_id']=$_GET['id'];

 $call_id=$_SESSION['call_id'];

//update the record

}else if (!isset($_GET['id']) && isset($_POST["MM_update"])){ 

 ##
 $saving_call=true;
 $pick_a_call=false;
 $fresh_call=false;
 ##

 $call_id=$_POST['call_id'];
}

In display.php there's also a form that self-post data to display.php for record update (last condition in the code).

In rest of the script I'm checking $fresh_call, $saving_call, $pick_a_call values to query the db with the right UPDATE/INSERT/SELECT SQL.

I'm not sure about my solution, I would like to design a class that can help me making my script more "clear" and lighter. I think also that this situation is probably a typical proplem to solve in PHP coding.

A: 

It's not part of the script you have posted, but I think the most important thing you need to do is make sure you are first escaping your GET/POST vars before using them to query the database.

For example, if you are using MySQL, you could use mysql_real_escape_string().

meanstreakuk  2009-11-25 13:37:33
or better yet start looking into pdo www.php.net/pdo if they're starting with php/mysql
dassouki  2009-11-25 13:49:41
... or prepared statements with mysqli.
Lucas Oman  2009-11-25 14:06:50
+1  A: 

Here's a functional alternative which should work the same as the code you posted, but may be a little easier to understand:

function set_call_id( $val )
{
    $_SESSION['call_id'] = $val;
}

if( isset($_GET['id']) )
{
    set_call_id( $_GET['id'] );
    pick_a_call();
}
else if( isset($_POST["MM_update"]) )
{
    set_call_id( $_POST['call_id'] );
    saving_call();
}
else
{
    set_call_id( time() . $_GET['operatore'] );
    fresh_call();
}
Kevin  2009-11-25 13:55:56

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases