f



Help with $_POST and $_SERVER['PHP_SELF'] please.

I am using values stored an $_POST array to display records from a table before
asking the user if he is sure he wants to delete them. If the user confirms then
the records are deleted. Without boring you with all of the code here is the
rough idea.

<?php
$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
if (!isset($_POST['submit'])) {
// Then display the records that were marked for deletion
?>
<form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">
<p align="center"><font face="Arial" size="2"><b>Are you sure you wish to
continue?</b></font></p>
<p align="center"><input type="submit" name="submit" value="Yes I want to delete
these records"></p>
</form>
<?php
}
else {
$query2="DELETE FROM Catalogue WHERE $delete";
mysql_query($query2) or die("Failed Query of " . $query2);
echo "Your records were successfully deleted";
}

Everything works fine up to the point where the user confirms that he wants to
delete the records. Then I get a failed delete query message as follows:

Warning: implode(): Bad arguments. in
mywebsite\user\htdocs\deleteselectedrecords.php on line 17
Failed Query of DELETE FROM Catalogue WHERE ( id = )

Since there are no values for id I can only assume that the original array held
within $_POST['delete'] is no longer stored when the page is refreshed after the
user has confirmed that he wants to delete the records. That being the case how
can I best code the page so that I can use an array in both instances. I'm
hazarding a guess that I may have to pass the array on by using something like
<input='hidden' etc etc>. That being the case how do I do that or is there a
better way of achieving my objective?

Hope that all makes sense.
Regards
Dynamo

 

0
5/19/2006 5:50:05 PM
comp.lang.php 32646 articles. 0 followers. Post Follow

7 Replies
406 Views

Similar Articles

[PageSpeed] 46

>I am using values stored an $_POST array to display records from a table before
>asking the user if he is sure he wants to delete them. If the user confirms then
>the records are deleted. Without boring you with all of the code here is the
>rough idea.

You get a new $_POST on each form submission.  You do not get
stuff left over from the previous form submission in it.

>Since there are no values for id I can only assume that the original array held
>within $_POST['delete'] is no longer stored when the page is refreshed after the
>user has confirmed that he wants to delete the records. That being the case how

This is the way it's supposed to work.  You shouldn't have left-over
crap from previous form submissions.  Considering that some of that
data might be credit card numbers or passwords, that would be a horrible
insecurity.

>can I best code the page so that I can use an array in both instances. I'm
>hazarding a guess that I may have to pass the array on by using something like
><input='hidden' etc etc>. That being the case how do I do that or is there a
>better way of achieving my objective?

Two possibilities are (1) store the ID in the session, or (2) put
the ID in a hidden field in the confirmation page form, so it shows
up in the new $_POST.  Since it goes through the browser, remember
that this value can be hacked.

Always remember that you need to check whether the user has the
authority to delete the record *AT THE TIME THE CONFIRMATION IS
SUBMITTED*.  You checked when generating the confirmation page?
Great, but that alone is not good enough.

						Gordon L. Burditt
0
5/19/2006 6:32:39 PM
Dynamos comments are totally valid, but on the basis that you stripped all
that stuff out, you just need to add a hidden input here to make it work...

(Note: Example typed and not tested)

> <?php
> $delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
> if (!isset($_POST['submit'])) 
> {
> // Then display the records that were marked for deletion ?> 
> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 

** Hidden input here **
<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">

> <p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
> continue?</b></font></p>
> <p align="center"><input type="submit" name="submit" value="Yes I want
> to delete these records"></p>
> </form>

[snip]


Cheers,

Ben
0
usenet147 (43)
5/20/2006 2:37:48 AM
I kinda guessed that if I used a new php page that the original $_POST array
would be lost. However, I mistakenly thought that if I used $_SERVER['PHP_SELF']
as the action for the form that the array would still be stored. It appears that
that is not the case. So the problem remains of how to EASILY pass the array
from the first page to the next. I had already tried using

<input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">

but it didn't work. When I debugged by using

<?php
echo "<pre>\n"; 
print_r($_POST['delete']); 
echo "</pre>\n";
?>

on the second page all I got was the word "Array", hence when that was inserted
into the delete query I got

$query1 = "DELETE FROM Catalogue WHERE id = Array"

So I'm hazarding another guess that my hidden field input should be something
morelike this
<?php
for each (value stored in the array){
?>
<input type="hidden" name="delete[]" value="<?php echo (value stored in array);
?>">
<?php
}
?>

Only problem is I'm not sure what goes into the (value stored in array) part of
the code. Any help greatly appreciated. Is there an easier way of passing the
array?

Regards
Dynamo


 


In article <pan.2006.05.20.02.37.48.82620@bens-house.org.uk>, Ben Holness
says...
>
>Dynamos comments are totally valid, but on the basis that you stripped all
>that stuff out, you just need to add a hidden input here to make it work...
>
>(Note: Example typed and not tested)
>
>> <?php
>> $delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
>> if (!isset($_POST['submit'])) 
>> {
>> // Then display the records that were marked for deletion ?> 
>> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 
>
>** Hidden input here **
><input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
>
>> <p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
>> continue?</b></font></p>
>> <p align="center"><input type="submit" name="submit" value="Yes I want
>> to delete these records"></p>
>> </form>
>
>[snip]
>
>
>Cheers,
>
>Ben

0
5/20/2006 7:47:34 AM
Try this,

<?php
foreach ($_REQUEST['delete'] as $val){
?>
<input type="hidden" name="delete[]" value="<?php echo $val; ?>">
<?php
}
?>

Otherwise you can use sessions as Gordon mentions, which is more secure;

At the top of each page add the line 

session_start();

When you get the delete array, add it to the session

$_SESSION['deleteArray']=$_REQUEST['delete'];

When you actually want to delete the items, use $_SESSION['deleteArray']

More information under sessions at php.net

Ben
0
usenet147 (43)
5/20/2006 12:51:06 PM
Dynamo wrote:
> I kinda guessed that if I used a new php page that the original $_POST array
> would be lost. However, I mistakenly thought that if I used $_SERVER['PHP_SELF']
> as the action for the form that the array would still be stored. It appears that
> that is not the case. So the problem remains of how to EASILY pass the array
> from the first page to the next. I had already tried using
> 
> <input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
> 
> but it didn't work. When I debugged by using
> 
> <?php
> echo "<pre>\n"; 
> print_r($_POST['delete']); 
> echo "</pre>\n";
> ?>
> 
> on the second page all I got was the word "Array", hence when that was inserted
> into the delete query I got
> 
> $query1 = "DELETE FROM Catalogue WHERE id = Array"
> 
> So I'm hazarding another guess that my hidden field input should be something
> morelike this
> <?php
> for each (value stored in the array){
> ?>
> <input type="hidden" name="delete[]" value="<?php echo (value stored in array);
> ?>">
> <?php
> }
> ?>
> 
> Only problem is I'm not sure what goes into the (value stored in array) part of
> the code. Any help greatly appreciated. Is there an easier way of passing the
> array?
> 
> Regards
> Dynamo
> 
> 
>  
> 
> 
> In article <pan.2006.05.20.02.37.48.82620@bens-house.org.uk>, Ben Holness
> says...
> 
>>Dynamos comments are totally valid, but on the basis that you stripped all
>>that stuff out, you just need to add a hidden input here to make it work...
>>
>>(Note: Example typed and not tested)
>>
>>
>>><?php
>>>$delete = '( id = ' . implode(' OR id = ', $_POST['delete'] ) . ' ) ';
>>>if (!isset($_POST['submit'])) 
>>>{
>>>// Then display the records that were marked for deletion ?> 
>>><form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 
>>
>>** Hidden input here **
>><input type="hidden" name="delete" value="<?php echo $_POST['delete']; ?>">
>>
>>><p> align="center"><font face="Arial" size="2"><b>Are you sure you wish to
>>>continue?</b></font></p>
>>><p align="center"><input type="submit" name="submit" value="Yes I want
>>>to delete these records"></p>
>>></form>
>>
>>[snip]
>>
>>
>>Cheers,
>>
>>Ben
> 
> 

Ben,

The problem here is:

   value="<?php echo $_POST['delete'];

If $_POST['delete'] is an array, the result will be

   value="Array"

in your page.  You can see that if you view the source code for your page in 
your browser.

Since $_POST['delete'] is an array, you have a couple of choices.  You can 
serialize the array before storing it, then use htmlentities() in case you have 
other chars in the string (i.e. a " mark).

The way I prefer is to store it in the session.  Just call session_start() at 
the beginning of each page where you need sessions (before ANY output - 
including whitespace - is generated) and store it in the session, i.s.

   <?php
     start_session();
     (perhaps other stuff here, i.e. validation code)
     $_SESSION['delete'] = $_POST['delete'];
   ?>

Then the next time through you can get it from $_SESSION['delete'].

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
0
jstucklex (14659)
5/20/2006 1:30:38 PM
Many thanks. Apart from a couple of false starts everything is now OK. First
time I tried your code I simply copied and pasted it and ended up with an
unknown function error. Although you correctly call it session_start() to begin
with, in the actual sample code you called it start_session(). Second time I
tried it I got a couple of warnings that headers had already been sent and that
the session could not be started. That was because I hadn't called the function
at the ABSOLUTE beginning of the page. I had

<?php
include("connect.php");
session_start();
?>

But when I changed it to

<?php
session_start();
include("connect.php");
?>

Everything was honky dory. I guess a little bit always needs to be left to the
programmer to sort out eh? :-)

Many thanks to all those that helped with this posting

Dynamo 




In article <F9udnZilfvxmhPLZnZ2dnUVZ_uWdnZ2d@comcast.com>, Jerry Stuckle says...
>

>The way I prefer is to store it in the session.  Just call session_start() at 
>the beginning of each page where you need sessions (before ANY output - 
>including whitespace - is generated) and store it in the session, i.s.
>
>   <?php
>     start_session();
>     (perhaps other stuff here, i.e. validation code)
>     $_SESSION['delete'] = $_POST['delete'];
>   ?>
>
>Then the next time through you can get it from $_SESSION['delete'].
>

0
5/20/2006 4:03:19 PM
Dynamo wrote:
> Many thanks. Apart from a couple of false starts everything is now OK. First
> time I tried your code I simply copied and pasted it and ended up with an
> unknown function error. Although you correctly call it session_start() to begin
> with, in the actual sample code you called it start_session(). Second time I
> tried it I got a couple of warnings that headers had already been sent and that
> the session could not be started. That was because I hadn't called the function
> at the ABSOLUTE beginning of the page. I had
> 
> <?php
> include("connect.php");
> session_start();
> ?>
> 
> But when I changed it to
> 
> <?php
> session_start();
> include("connect.php");
> ?>
> 
> Everything was honky dory. I guess a little bit always needs to be left to the
> programmer to sort out eh? :-)
> 
> Many thanks to all those that helped with this posting
> 
> Dynamo 
> 
> 
> 
> 
> In article <F9udnZilfvxmhPLZnZ2dnUVZ_uWdnZ2d@comcast.com>, Jerry Stuckle says...
> 
> 
>>The way I prefer is to store it in the session.  Just call session_start() at 
>>the beginning of each page where you need sessions (before ANY output - 
>>including whitespace - is generated) and store it in the session, i.s.
>>
>>  <?php
>>    start_session();
>>    (perhaps other stuff here, i.e. validation code)
>>    $_SESSION['delete'] = $_POST['delete'];
>>  ?>
>>
>>Then the next time through you can get it from $_SESSION['delete'].
>>
> 
> 

Sorry about the function name.  I guess I shouldn't post before my first pot of 
coffee :-).

-- 
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
0
jstucklex (14659)
5/20/2006 6:31:00 PM
Reply: