开发者

pass each 'name' value form inputs into dynamically created variables

开发者 https://www.devze.com 2023-01-16 07:32 出处:网络
I was making a form that is um... quite large and all inputs consist of the form looking like <input type=\"text\" id=\"first_name\" name=\"first_name\" />

I was making a form that is um... quite large and all inputs consist of the form looking like

<input type="text" id="first_name" name="first_name" />

so instead of having to do

$first_name = $_POST['first_name'];

and so on for every input, is there a way to grab every 'name' or 'id' from each input within the <form></form> and apply to a variable of the same value of the 'name' or 'id'.

I was thinking of something like a foreach statement?开发者_开发知识库?

Any ideas?

EDIT:

Given this little snippet of code here, how can it be use to now use the example given below?

function filter($data) {
    $data = trim(htmlentities(strip_tags($data)));

    if (get_magic_quotes_gpc())
        $data = stripslashes($data);

    $data = mysql_real_escape_string($data);

    return $data;
}

foreach($_POST as $key => $value) {
    $data[$key] = filter($value);
    echo $value . '<br />';
}


This is a bad idea using extract or a foreach, it would allow someone to hijack a variable in your code.

Imagine the following

$my_user_id = 10;
extract($_POST);
// Load the user for $my_user_id using MYSQL
// Change some value of the user for $my_user_id
// Update the database for user $my_user_id

What happens when a user hacks your form and changes the value of my_user_id?

They will be able to change the values for a user other than the one you intended them to change.

You should only get the values fro $_POST that you KNOW are OK and should be there. Do not grab everything and assume it is meant to be there.


Such a variable assignment is very bad idea. A malicious user can rewrite any variable in your program this way.
Never do such things.
You are right about foreach statement. But do not use it for setting variables - just use it to accomplish your script goal. Iterate $_POST and put it's values into query or mail body or whatever. No need for global scope variables

As I have said above, use foreach for the real automation.
You can use this function to produce a SET SQL statement out of array of field names and $_POST array:

function dbSet($fields) {
  $set='';
  foreach ($fields as $field) {
    if (isset($_POST[$field])) {
      $set.="`$field`='".mysql_real_escape_string($_POST[$field])."', ";
    }
  }
  return substr($set, 0, -2); 
}

$fields = explode(" ","name surname lastname address zip fax phone");
$query  = "INSERT INTO $table SET ".dbSet($fields);
0

精彩评论

暂无评论...
验证码 换一张
取 消