tags:

views:

33

answers:

4
+1  Q: 

User selects operator from drop-down menu and use it in PHP function

Hi guys,

What I would like to achieve here is a user selects an operator, e.g. +, >, <, >= etc. and uses this in a Select statement in PHP.

MY HTML code:

                <label for="grade">Grade: </label>
                <select name="operator" id="operator">
                    <option value="">Select one</option>
                    <option value="<">Less than</option>
                    <option value=">">More than</option>
                    <option value="=">Equals to</option>
                </select>
                <input type="text" name="grade" id="grade" size="2" maxlength="2">
                </input>

My PHP code:

    $operator = mysqli_real_escape_string($link, $_GET['operator']);
$grade = mysqli_real_escape_string($link, $_GET['grade']);
if ($grade != '') {
    $where .= " AND grade . '$operator' . '$grade'";
}

What I would like to achieve is 'AND grade > 3'. '3' could be another number.

How could I change my codes to make PHP accepts it as a proper statement. Pardon my bad explanation here.

A: 

i Think you should escape < > to html char codes.

You can set values to 1,2,3 and do:

$myarray = array( '<' , '>' , '=' );

the use 

$myarray[$operator]
killer_PL  2010-08-26 07:38:02
Thanks killer. I will go with another solution.
dave  2010-08-26 08:04:45
+2  A: 

You shouldn't quote the operator:

$where .= " AND grade $operator  '$grade'";

While you have escaped the grade, I would go further and check the operator is one of your expected operators, e.g.

if (($grade!='') && in_array($operator, array('>', '<', '=')))
{
    ....
}
Paul Dixon  2010-08-26 07:39:35
Thanks Paul for a simple and succinct answer.
dave  2010-08-26 08:03:01
dave  2010-08-26 08:11:56
ah yes, I left that as, erm, an exercise for the reader ;)
Paul Dixon  2010-08-26 09:05:31
+1  A: 

Wrong usage of escaping functions! You know that operator could only be <, >, or = and grade a number (without comma's or something).

This is a better validation:

$operator = isset($_GET['operator']) && is_string($_GET['operator']) && in_array($_GET['operator'], array('<', '>', '=')) ? $_GET['operator']: '';
$grade = isset($_GET['grade']) && is_string($_GET['grade']) && ctype_digit($_GET['grade']) ? $_GET['grade'] : '';
if($operator && $grade){
    $where .= " AND grade $operator $grade";
}

It first checks if operator and grade exist in the $_GET array, then if it is a string (?operator[]= makes an array of it). Then it checks if operator is a valid operator (<, > or =) and grade is really a number.

Lekensteyn  2010-08-26 07:41:02
Thanks Lek. I will go with another solution.
dave  2010-08-26 08:04:06
+1  A: 

I think the line for grade should be:

" AND grade $operator $grade "

spbfox  2010-08-26 07:45:55
thanks spbfox. I would go with Paul's solution here.
dave  2010-08-26 08:03:41
Understandable. I would do the same.
spbfox  2010-08-26 08:07:53

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?