Re: Problem involving checkbox and Postgresql

From: Chadwick Rolfs <cmr(at)shell(dot)gis(dot)net>
To: pgsql-php(at)postgresql(dot)org
Subject: Re: Problem involving checkbox and Postgresql
Date: 2002-06-21 13:44:24
Message-ID: Pine.SOL.3.96.1020621093804.25405B-100000@shell.gis.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-php

On Mon, 17 Jun 2002, Digital Wokan wrote:

> All of which brings up the fact that you should never just trust all the
> values being submitted to a page. That's how SQL insertion attacks succeed.
>
> On Thursday 20 June 2002 13:22, Scott Marlowe wrote:
> > You have to process the values yourself to make sure it's right.
> >
> > Just do something like this:
> >
> > if ($driving_required == "1") $driving_required = 't';
> > else $driving_required = 'f';
> >
> > Then use it in your update / insert statement as usual.
> >
> > On 20 Jun 2002, Jeff Self wrote:
> > > That only works if I leave the checkboxes checked. If I remove the
> > > check, I get the following error:
> > >
> > > Warning: pg_exec() query failed: ERROR: Bad boolean external
> > > representation ''
> > > in /var/www/nngov/admin/jobpostresults.php on line 66
> > >
> > > On Thu, 2002-06-20 at 13:39, Surojit Niyogi wrote:
> > > > Hi Jeff,
> > > >
> > > > Set the value parameter in the input tag
> > > >
> > > > <input type="checkbox"
> > > > name="driving_required" CHECKED value='1'>
> > > >
> > > > That should work I believe.
> > > >
> > > > -Surojit

I just looked it up, and the value attribute is optional EXCEPT when the
type is either radio or checkbox. Therefore you must specify some sort of
value; it could even be 'on' if you want ;)
See here:

http://www.w3.org/TR/html4/interact/forms.html#h-17.4

Either way, as stated above, all values should be checked in a production
state, but to manipulate your $_POST or $_GET arrays and turn them into
sql query strings, it is sometimes necessary to individually search and
replace values that do not work with sql. In other words, html form
values were not meant to be sent to database back ends in the form of sql,
hence we have php to change them for us :) Hooray for that!

-Chadwick

In response to

Browse pgsql-php by date

  From Date Subject
Next Message Scott Marlowe 2002-06-21 20:28:30 Re: Optimizing queries
Previous Message huth-thomas 2002-06-21 13:05:53 ausführen von programmen auf server