PHP 5 and isset()?

You have an error... look below.

PS:  You are real vulnerable to SQL injection.
You need to scrub your vars before you use them in a query
directly.

Joel



Boxxa wrote:
> Here is the page
>
> If i echo $_POST['submit_button'] it shows the assigned
value but it
> wont go into the if statement for some reason.
>
>
> <?
> session_start();
> include('functions.php');

The two lines below are not good.

> $button_press = $_POST['del_image'];
> if(isset($button_press)){

When you assign "$button_press =
$_POST['del_image'];" even if the post
var is empty it is still an assignment and may throw off the
isset( )
method... technically $button_press isset to something.

I always init my vars to do something like this if needed.
You know about Ternary Operator... ( )? : ;
If not go here
http://us3.php.net/manual/en/language.operators.co
mparison.php and
scroll down about half page... look for "Ternary
Operator"

$button_press =
(isset($_POST['del_image']))?$_POST['del_image']:false;
if ($button_press !== false) {

or else just directly test against post var...

if (isset($_POST['del_image'])) {

> while (list ($key,$val) = each ($box)) {
> $query = mysql_query("DELETE FROM images WHERE
image_path='$val'");
> unlink($val);
> }
> }
> checkLogin();
> drawHeader();
> ?><br>
> <br>
> <br>
> <center>
> <form action="edit_images.php"
method="POST">
> <table width="50%"
border="1">
> <tr>
> 	<td
align="center"><strong>Category</stron
g></td>
> 	<td
align="center"><strong>Filename</stron
g></td>
> 	<td
align="center"><strong>Preview</strong
></td>
> 	<td
align="center"><strong>Delete</strong&
gt;</td>
> </tr>
> <?
> include('db_connect.php');
> $query = mysql_query("SELECT * FROM images ORDER
BY category ");
>
> while($row = mysql_fetch_array($query)){
>
> 	echo "<tr
align="center"><td>".
$row['category']."</td>";
> 	echo "<td align="center">"
. $row['image_name'] . "</td>";
> 	echo "<td
align="center"><img
width="100px" src="" .
> $row['image_path'] .
""></img></td>";
> 	echo "<td
align="center"><input
type="checkbox" name="box[]"
> value="" . $row['image_path'] .
""></td></tr>";
> }
> ?>
> </table><br />
>
> <input type="submit"
name="del_image" value="Delete
Selected">
> </form>
> </center>


--~--~---------~--~----~------------~-------~--~----~
This group is managed and maintained by the development
staff at 360 PSG. An enterprise application development
company utilizing open-source technologies for todays
small-to-medium size businesses.

For information or project assistance please visit :
http://www.360psg.com

You received this message because you are subscribed to the
Google Groups "Professional PHP Developers" group.
To post to this group, send email to Professional-PHPgooglegroups.com
To unsubscribe from this group, send email to
Professional-PHP-unsubscribegooglegroups.com
For more options, visit this group at http:
//groups.google.com/group/Professional-PHP
-~----------~----~----~----~------~----~------~--~---

This is perfect!

Thanks so much!




The Webdevil [ 360 PSG ] wrote:
> You have an error... look below.
>
> PS:  You are real vulnerable to SQL injection.
> You need to scrub your vars before you use them in a
query directly.
>
> Joel
>
>
>
> Boxxa wrote:
> > Here is the page
> >
> > If i echo $_POST['submit_button'] it shows the
assigned value but it
> > wont go into the if statement for some reason.
> >
> >
> > <?
> > session_start();
> > include('functions.php');
>
> The two lines below are not good.
>
> > $button_press = $_POST['del_image'];
> > if(isset($button_press)){
>
> When you assign "$button_press =
$_POST['del_image'];" even if the post
> var is empty it is still an assignment and may throw
off the isset( )
> method... technically $button_press isset to something.
>
> I always init my vars to do something like this if
needed.
> You know about Ternary Operator... ( )? : ;
> If not go here
> http://us3.php.net/manual/en/language.operators.co
mparison.php and
> scroll down about half page... look for "Ternary
Operator"
>
> $button_press =
(isset($_POST['del_image']))?$_POST['del_image']:false;
> if ($button_press !== false) {
>
> or else just directly test against post var...
>
> if (isset($_POST['del_image'])) {
>
> > while (list ($key,$val) = each ($box)) {
> > $query = mysql_query("DELETE FROM images
WHERE image_path='$val'");
> > unlink($val);
> > }
> > }
> > checkLogin();
> > drawHeader();
> > ?><br>
> > <br>
> > <br>
> > <center>
> > <form action="edit_images.php"
method="POST">
> > <table width="50%"
border="1">
> > <tr>
> > 	<td
align="center"><strong>Category</stron
g></td>
> > 	<td
align="center"><strong>Filename</stron
g></td>
> > 	<td
align="center"><strong>Preview</strong
></td>
> > 	<td
align="center"><strong>Delete</strong&
gt;</td>
> > </tr>
> > <?
> > include('db_connect.php');
> > $query = mysql_query("SELECT * FROM images
ORDER BY category ");
> >
> > while($row = mysql_fetch_array($query)){
> >
> > 	echo "<tr
align="center"><td>".
$row['category']."</td>";
> > 	echo "<td
align="center">" . $row['image_name'] .
"</td>";
> > 	echo "<td
align="center"><img
width="100px" src="" .
> > $row['image_path'] .
""></img></td>";
> > 	echo "<td
align="center"><input
type="checkbox" name="box[]"
> > value="" . $row['image_path'] .
""></td></tr>";
> > }
> > ?>
> > </table><br />
> >
> > <input type="submit"
name="del_image" value="Delete
Selected">
> > </form>
> > </center>


--~--~---------~--~----~------------~-------~--~----~
This group is managed and maintained by the development
staff at 360 PSG. An enterprise application development
company utilizing open-source technologies for todays
small-to-medium size businesses.

For information or project assistance please visit :
http://www.360psg.com

You received this message because you are subscribed to the
Google Groups "Professional PHP Developers" group.
To post to this group, send email to Professional-PHPgooglegroups.com
To unsubscribe from this group, send email to
Professional-PHP-unsubscribegooglegroups.com
For more options, visit this group at http:
//groups.google.com/group/Professional-PHP
-~----------~----~----~----~------~----~------~--~---