HTML Logo by World Wide Web Consortium (www.w3.org). Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to compo.sr for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.


Post to PHP_Self & required_code

Login / Search

 [ Join | More ]
 Add topic 
Posted
Rating:
#110140 (In Topic #21900)
TQ
Avatar

Honoured member

Let me start by offering my apologise for asking basic programming questions but I'm a little overwhelmed by the on-line documentation ie. there is so much there I can't find the wood for the trees.

I have created a 4 column table in the OCP db to store donation info. I wanted to populate it with historic info from a page within OCP (which is no longer relevant as I have done it by hand). I still however want to understand the method as I wish to expand on the principals in the future.

I have created the form and 'Insert' query within a miniblock and placed it on the page along with another miniblock that lists the content of the table entries. I want the page to refresh to itself so that I can see past entries at a glance.

The two area's I'm having problems understanding are:
  1. What 'require_code' entries do I need to be able to perform $GLOBALS['SITE_DB']->query(...
  2. 'PHP_SELF' only returns the zone/index.php page so I'm not successfully able to post my data from the form to self.
Maybe I've got the whole methodology wrong, feel free to say so, don't be shy.

This is what I'm working with at the moment (I am aware that the data needs validating):

Code

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
 <head>
  <title> Add Donation to db</title>
  <meta name="Author" content="TQ">
  <meta name="Keywords" content="">
  <meta name="Description" content="">
 </head>
 <body>
 <?php
 require_code('permissions');
// define variables and set to empty values
$d_member = $d_date = $d_amount = $d_comment =  "";
// Clean Input data
if     ($_SERVER["REQUEST_METHOD"] == "POST") {
    $d_member = test_input($_POST["d_member"]);
    $d_date = test_input($_POST["d_date"]);
    $d_amount = test_input($_POST["d_amount"]);
    $d_comment = test_input($_POST["d_comment"]);
}
//
function test_input($data) {
     $data = trim($data);
     $data = stripslashes($data);
     $data = htmlspecialchars($data);
     return $data;
}
// proof that the miniblock isn't seen by php_self
echo $_SERVER['PHP_SELF'];

//Post data if Submit is pressed, else ignore
if (isset($_POST['submit'])) {
$GLOBALS['SITE_DB']->query("INSERT INTO ocp_donation  (d_member, d_date, d_amount, d_comment) VALUES (" . $d_member  . $d_date . $d_amount . $d_comment .")");
}
?>

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
    <table class="dons">
        <tbody>
        <tr><th colspan=4>Enter a new donation into the database</th></tr>
            <tr>
                <td style="text-align: right;">User ID:</td>
                <td><input name="d_member" type="text" /></td>
            </tr>
            <tr>
                <td style="text-align: right;">Date:</td>
                <td><input name="d_date" type="text" /></td>
            </tr>
            <tr>
                <td style="text-align: right;">Amount:</td>
                <td><input name="d_amount" type="text" /></td>
            </tr>
            <tr>
                <td style="text-align: right;">Comment:</td>
                <td><textarea name="d_comment" rows="3" cols="100%"></textarea></td>
            </tr>
            <tr>
                <td style="text-align: right;">&nbsp;</td>
                <td><input type="submit" name="submit" value="Submit" /></td>
            </tr>
    </form>    
        </tbody>
    </table>
 </body>
</html>
Any pointers would be appreciated. Some existing sample/example code would be a great starting point, I'm not asking anyone to do the work for me but I'll take whatever I can get :)

Thanks

TQ
Back to the top
 
Posted
Rating:
#110142
Avatar

1 - none.
2 - you can likely just use "#". But get_self_url_easy() is probably best for you


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110144
TQ
Avatar

Honoured member

Chris Graham said

1 - none.
2 - you can likely just use "#". But get_self_url_easy() is probably best for you

Hi Chris,

So I didn't ask question 1 correctly, I'll try again.

If I wish to test my miniblocks independently of OCP ie call them up directly in the browser and, if I want to use $GLOBALS['SITE_DB']->query(…, what do I need to do?

I've been using my own connection strings but I'm sure you have something neater than that.

I'm working on answer 2 now, thanks.

TQ
Back to the top
 
Posted
Rating:
#110146
Avatar

Calling up a block file directly isn't practical for a number of reasons. You'd need to add all the ocPortal bootstrapping code to the block file, but make that code only run if the file was called directly, and disable our security to stop deep PHP files being run directly.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110148
TQ
Avatar

Honoured member

Chris Graham said

Calling up a block file directly isn't practical for a number of reasons. You'd need to add all the ocPortal bootstrapping code to the block file, but make that code only run if the file was called directly, and disable our security to stop deep PHP files being run directly.

The strength of OCP's security is what I was after so everything you say makes perfect sense.

I'm struggling at the moment to work out how to update/insert to the db from an OCP page. Entirely my lack (or should I say absence) of programming skills, nothing more. I'm sure I'll crack it (and learn a whole lot more along the way).

Thanks for responding and, as always, thanks for taking the time.

TQ
Back to the top
 
Posted
Rating:
#110151
Avatar

Code

$GLOBALS['SITE_DB']->query_insert('someTableNameWithoutTheTablePrefix',array('field'=>'value','otherfield'=>'othervalue'));

Or if you prefer raw SQL (which you can collect from a MySQL frontend, when it builds queries for you)…

Code

$GLOBALS['SITE_DB']->query('INSERT INTO someTableName (field,otherfield) VALUES (\'value\',\'othervalue\')');

The query_insert syntax is preferred as it's impossible to make a security hole using it. Building up SQL by hand (which is what you'd presumably be doing, as it won't be static values, is risky business.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110157
TQ
Avatar

Honoured member

Chris Graham said

Code

$GLOBALS[&amp;#39;SITE_DB&amp;#39;]-&amp;gt;query_insert(&amp;#39;someTableNameWithoutTheTablePrefix&amp;#39;,array(&amp;#39;field&amp;#39;=&amp;gt;&amp;#39;value&amp;#39;,&amp;#39;otherfield&amp;#39;=&amp;gt;&amp;#39;othervalue&amp;#39;));&lt;br /&gt;
Or if you prefer raw SQL (which you can collect from a MySQL frontend, when it builds queries for you)…

Code

$GLOBALS[&amp;#39;SITE_DB&amp;#39;]-&amp;gt;query(&amp;#39;INSERT INTO someTableName (field,otherfield) VALUES (\&amp;#39;value\&amp;#39;,\&amp;#39;othervalue\&amp;#39;)&amp;#39;);&lt;br /&gt;
The query_insert syntax is preferred as it's impossible to make a security hole using it. Building up SQL by hand (which is what you'd presumably be doing, as it won't be static values, is risky business.
Thanks Chris for that gem.

As you will see form the example I posted in the first part of this thread, I am using the queries that I create & test in Heidisql in my php queries so I will migrate to the bullet proof method in example 1 as soon as I've got even the simplest page working, and here's the rub.

I think I've missed the point when it come to structure (flow).

The goal is to create a page with a form on it that I complete then add (or at a later date amend) that data to/in the db.

I've tried creating the html form within the page and posting it to a separate php page to enter data into the db. That doesn't work (unless I use my own connection) because $GLOBALS is not recognised.

I've tried putting both the form and the query into a single miniblock and then posting to PHP_SELF, get_self_url_easy() and even the full path to the php page but, although OCP doesn't throw an error, nothing is posted to the db.

I am writing this before I have another attempt at this today so no response is required unless someone can point me in the direction of an existing (SIMPLE) code example of how this is done.

EDIT: Disregard that, I've found more errors in my query string than Madonna hits bum notes :@

TQ


Last edit: by TQ
Back to the top
 
Posted
Rating:
#110159
Avatar

Hi,

Just ran a quick test with original code except get_self_url_easy. It worked actually, query ran. I didn't have the table so the query failed, but it did run.

Hopefully you didn't add cache="1" on the block Comcode? That'd kill it.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110161
Avatar

The query is missing commas between values and escaping btw.

At very least needs to be:

Code

$GLOBALS['SITE_DB']->query("INSERT INTO ocp_donation  (d_member, d_date, d_amount, d_comment) VALUES ('" . db_escape_string($d_member)  . "','" . db_escape_string($d_date) . "','" . db_escape_string($d_amount) . "','" . db_escape_string($d_comment) ."')");

But I strongly advise:

Code

$GLOBALS['SITE_DB']->query_insert('donation',array('d_member'=>$d_member, 'd_date'=>$d_date, 'd_amount'=>$d_amount, 'd_comment'=>$d_comment));

The secure way is actually easier for simple insert/update/delete/select queries.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
Posted
Rating:
#110162
TQ
Avatar

Honoured member

Chris Graham said

The query is missing commas between values and escaping btw.

At very least needs to be:

Code

$GLOBALS['SITE_DB']->query("INSERT INTO ocp_donation  (d_member, d_date, d_amount, d_comment) VALUES ('" . db_escape_string($d_member)  . "','" . db_escape_string($d_date) . "','" . db_escape_string($d_amount) . "','" . db_escape_string($d_comment) ."')");

But I strongly advise:

Code

$GLOBALS['SITE_DB']->query_insert('donation',array('d_member'=>$d_member, 'd_date'=>$d_date, 'd_amount'=>$d_amount, 'd_comment'=>$d_comment));

The secure way is actually easier for simple insert/update/delete/select queries.

Re: escaping etc. Of course you are right, you'll have noticed that I'd already edited my previous message when I discovered my many errors.

Don't quite know when I messed this up because I copied it from my stand-alone version to start with.

Anyway, I have it working now and have started on the validation side of things.

I will revise the query to query_insert etc. as soon as I've got what I'm working on sorted out but you can rest easy, all of this is being done in a zone that is only available to administrators (me) so I am already afforded some of your very fine protection.

Thanks Chris, I really do appreciate your help & guidance.

TQ
Back to the top
 
Posted
Rating:
#110164
Avatar

all of this is being done in a zone that is only available to administrators (me) so I am already afforded some of your very fine protection.

Good thing we don't allow blocks to automatically run standalone then :lol:.


Become a fan of ocPortal on Facebook or add me as a friend. Add me on on Twitter.
Was I helpful?
  • If not, please let us know how we can do better (please try and propose any bigger ideas in such a way that they are fundable and scalable).
  • If so, please let others know about ocPortal whenever you see the opportunity.
  • If my reply is too Vulcan or expressed too much in business-strategy terms, and not particularly personal, I apologise. As a company & project maintainer, time is very limited to me, so usually when I write a reply I try and make it generic advice to all readers. I'm also naturally a joined-up thinker, so I always express my thoughts in combined business and technical terms. I recognise not everyone likes that, don't let my Vulcan-thinking stop you enjoying ocPortal on fun personal projects.
  • If my response can inspire a community tutorial, that's a great way of giving back to the project as a user.
Back to the top
 
1 guests and 0 members have just viewed this: None
Control functions:

Quick reply   Contract

Your name:
Your message: