PDA

View Full Version : How do I loop inside of varibale names?


kobescoresagain
06-19-2006, 03:24 PM
I have some posts variables that would be like this
$_POST[name1]
$_POST[name2]
$_POST[name3]
$_POST[name4]
$_POST[name5]
$_POST[name6]
$_POST[name7]
$_POST[name8]
$_POST[name9]

I want to loop through them. I will alays know how many there will be. I was trying to do something like
$_POST[name$i]
then increment through. But that won't work. What do I need to do?

MarkPW
06-19-2006, 03:35 PM
$_POST[name$i] won't work.. try this way: $_POST['name'.$i]

kobescoresagain
06-19-2006, 03:44 PM
$sql = "UPDATE user SET username = \"$_POST['username'.$i]\", access = \"$_POST['access'.$i]\", owner= \"$_POST['owner'.$i]\" WHERE id= \"$_POST['userid'.$i]\"";

I tried that and got this error Parse error: parse error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING the error is on that line for sure

MarkPW
06-19-2006, 04:07 PM
Change to:

$sql = "UPDATE user SET username = \"".$_POST['username'.$i]."\", access = \"".$_POST['access'.$i]."\", owner= \"".$_POST['owner'.$i]."\" WHERE id= \"".$_POST['userid'.$i]."\"";

Paul M
06-19-2006, 04:12 PM
You need to escape the input first to avoid SQL injections.

The Geek
06-19-2006, 04:17 PM
on a side note... at the very LEAST you should be running them through addslahes() if not $db->escape_string() (which is better).

Otherwise you have a gargantuan security hole there.

Your best bet is something like this (assuming its vb integrated)


$vbulletin->input_clean_array_gpc('p', array(
'name1' => TYPE_STR,
'name2' => TYPE_STR,
'name3' => TYPE_STR,
'name4' => TYPE_STR,
'name5' => TYPE_STR,
'name6' => TYPE_STR,
'name7' => TYPE_STR,
'name8' => TYPE_STR,
'name9' => TYPE_STR,
);

$name1 = $db->escape_string($vbulletin->GPC['name1']);
...etc...

$sql = "UPDATE " . TABLE_PREFIX . "mytable SET name1='$name1' WHERE id=1";


However if I understand what youre trying to do, I would suggest posting the variables like this:


<input type="text" name="name[1]" value="" />


Then do this to catch and cleanse:


$vbulletin->input_clean_array_gpc('p', array(
'name' => TYPE_ARRAY_STR,
);

$prepped_name = array();

if (is_array($vbulletin->GPC['name']))
{
foreach($vbulletin->GPC['name'] as $key => $value)
{
$prepped_name[$key] = $db->escape_string($value);
}
}


Thats just off the cuff, so dont quote me on that... just trying to help :D

kobescoresagain
06-19-2006, 04:21 PM
Ya, Iw ould have done this differently if I was doing it from the beginning. But I am finishing something someone else started. I figured it out withyour guys help. Thanks