Help with checkbox and database

Question

hi, please i want help im a begginer

I have a form with checkboxes. Each have a value when the checkboxes are checked it's value is added to the sum... I want to save the checkboxes that are checked into a database.

<script type="text/javascript">
    function checkTotal() {
     document.listForm.total.value = '';
     var sum = 0;
     for (i=0;i<document.listForm.choice.length;i++) {
       if (document.listForm.choice[i].checked) {
        sum = sum + parseFloat(document.listForm.choice[i].value);
       }
     }
     document.listForm.total.value = sum;
    }
</script>

<form name="listForm" method="post" action="insert_options.php" >
<TABLE cellPadding=3 width=600 border=0>
        <TBODY>

        <TR>
          <TH align=left width="87%" bgColor=#b0b3b4><SPAN 
            class=whiteText>Item</SPAN></TH>
          <TH align=right width="13%" bgColor=#b0b3b4><SPAN 
            class=whiteText>Select</SPAN></TH></TR>
        <TR>
          <TD  bgcolor="#9da8af"colSpan=2><SPAN class=normalText><B>General</B></SPAN></TD></TR>
        <TR>
          <TD  bgcolor="#c4c8ca"><SPAN class=normalText >TEAK SIDE DECKS (2889)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="2889" type="checkbox" onchange="checkTotal()" /></TD></TR>
        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>LEAD DEEP KEEL (1825)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="1825" type="checkbox" onchange="checkTotal()"></TD></TR>

        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>FULLY BATTENED MAINSAIL (558)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="558"  type="checkbox"  onchange="checkTotal()"></TD></TR>

        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>HIGH TECH SAILS FOR CONVENTIONAL RIG (1979)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="1979" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>IN MAST REEFING WITH HIGH TECH SAILS (2539)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="2539" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>SPlNNAKER GEAR (POLE LINES DECK FITTINGS) (820)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="820" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>SPINNAKER POLE VERTICAL STOWAGE SYSTEM (214)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="214" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>GAS ROD KICKER (208)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="208" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>SIDE RAIL OPENINGS (BOTH SIDES) (392)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="392" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>SPRING CLEATS MIDSHIPS -ALUMIMIUM (148)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="148" type="checkbox" onchange="checkTotal()"></TD></TR>


          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>ELECTRIC ANCHOR WINDLASS (1189)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="1189" type="checkbox" onchange="checkTotal()"> </TD></TR>



          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>ANCHOR CHAIN GALVANISED (50m) (202)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="202" type="checkbox" onchange="checkTotal()"> </TD></TR>



          <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>ANCHOR CHAIN GALVANISED (50m) (1141)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="1141" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD  bgcolor="#9da8af"colSpan=2><SPAN class=normalText><B>NAVIGATION & ELECTRONICS</B></SPAN></TD></TR>
        <TR>
          <TD  bgcolor="#c4c8ca"><SPAN class=normalText >WIND VANE (STAINLESS STEEL)(41)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="41" type="checkbox" onchange="checkTotal()" /></TD></TR>
        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>RAYMARINE ST6O LOG & DEPTH (SEPARATE UNITS)(226)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="226" type="checkbox" onchange="checkTotal()"></TD></TR>

      <TR>
          <TD  bgcolor="#9da8af"colSpan=2><SPAN class=normalText><B>ENGINES & ELECTRICS</B></SPAN></TD></TR>
        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>SHORE SUPPLY (220V) WITH 3 OUTLETS (EXCLUDJNG SHORE CABLE) (327)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="327"  type="checkbox"  onchange="checkTotal()"></TD></TR>

        <TR>
          <TD bgColor=#c4c8ca><SPAN class=normalText>3rd BATTERY(14OA/H)(196)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="196" type="checkbox" onchange="checkTotal()"></TD></TR>

         <TD bgColor=#c4c8ca><SPAN class=normalText>24 AMP BATTERY CHARGER (475)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="475" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>2 BLADED FOLDING PROPELLER (UPGRADE)(299)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="299" type="checkbox" onchange="checkTotal()"></TD></TR>


         <TR>
          <TD  bgcolor="#9da8af"colSpan=2><SPAN class=normalText><B>BELOW DECKS/DOMESTIC</B></SPAN></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>WARM WATER (FROM ENGINE & 220V)(749)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="749" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>SHOWER IN AFT HEADS WITH PUMPOUT(446)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="446" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>DECK SUCTION DISPOSAL FOR HOLDINGTANK(166)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="166" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>REFRIGERATED COOLBOX (12V)(666)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="666" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>LFS SAFETY PACKAGE (COCKPIT HARNESS POINTS STAINLESS STEEL JACKSTAYS)(208)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="208" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>UPHOLSTERY UPGRADE IN SALOON (SUEDETYPE)(701)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="701" type="checkbox" onchange="checkTotal()"></TD></TR>

          <TR>
          <TD  bgcolor="#9da8af"colSpan=2><SPAN class=normalText><B>NAVIGATION ELECTRONICS & ELECTRICS</B></SPAN></TD></TR>

          <TD bgColor=#c4c8ca><SPAN class=normalText>VHF RADIO AERIAL CABLED TO NAVIGATION AREA(178)</SPAN></TD>
          <TD align=right bgColor=#c4c8ca><input  name="choice" value="178" type="checkbox" onchange="checkTotal()"></TD></TR>
</table>

and the php code is

<?php

$opt=serialize($_POST['choice']); //takes the data from a post operation...
$query="INSERT INTO options VALUES('$opt')"; 

?>

Answer 1

Firstly, all of your <input type="checkbox"> fields have the same name attribute. This results in several values with the same name being sent over (if several checkboxes are checked), of which PHP only uses the last one for its $_POST collection.

To solve this, give them the name "choice[]", instead of "choice". This signals PHP that there are several values possible, and they will be all available as an array. In other words, you will be able to do the following:

$choices = $_POST['choice'];
foreach ( $choices as $key => $value )
    echo "$key  => $value";

And this will output something like

0 => 32
1 => 12
2 => 48

In other words - you get an array with the values of the checked checkboxes. After that you can do what you like with them. For example, implode() them to get a comma-separated list.

One thing that you should be warned about though. It's called "SQL Injection" and is a common mistake of inexperienced programmers. The idea is that a malicious user can easily send other values there too, not only the ones you have specified in your HTML. It does not take much skill to forge a HTTP request. There can be ANYTHING coming from the user, so you should ALWAYS check ALL INPUT that you get from the user. Don't trust any JavaScript validations you make. As long as it's from the user side - it cannot be trusted. Ever.

And if you are wondering how that can be a bad thing - consider, what would happen if suddenly one of the values in your array wouldn't be 43 anymore, but instead would be "'); DROP DATABASE; --".

Since you are blindly executing a query like

INSERT INTO options VALUES('$opt');

This would then turn into

INSERT INTO options VALUES(''); DROP DATABASE; --);

And bye-bye goes your database. Thus, ALWAYS make sure that the user input is what you expect it to be and that there is no possiblity for something like this. Oh, and yes - addslashes() is not a good method because there is still a way around that. Parametrized queries are the best way to go, but if you can't use that then at least use mysql_real_escape_string() for MySQL, or whatever else your DBMS offers.

Answer 2

See my answer here