Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 9 of 9
  1. #1
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,075
    Thanks
    26
    Thanked 0 Times in 0 Posts

    Checking if Check-Box is Checked!!

    What is the best way to check if a Check-Box is checked?!

    Here is my HTML...
    Code:
    	<input name='selectAll' type='checkbox' value=1 />

    In my PHP, I originally had been using this...
    PHP Code:
        if (!empty($_POST['selectAll']) && $_POST['selectAll'] == 1){ 

    However, in retrospect this seems like overkill...

    If the Check-Box was not checked, then it would have a value of "NULL", right?

    And if the Check-Box was checked via the Form, it would have a value of "1", right?

    And if some hacker were screwing with things, it would have some other value, right?

    But in this instance, all I really care about is if selectAll = 1, so couldn't I just write this instead...
    PHP Code:
        if ($_POST['selectAll'] == 1){
            
    // Do something.

        
    }else{
            
    // Do nothing.

        

    Sincerely,


    Debbie

  • #2
    New Coder
    Join Date
    Aug 2010
    Location
    myeik
    Posts
    81
    Thanks
    6
    Thanked 5 Times in 5 Posts
    that sound grate , i want to see the answer what is the best
    !empty is choose the validation the check box ,
    so that is good way to i think

  • #3
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    If a checkbox is not checked then nothing at all is posted-back: the post value will not be set (or even exist).

    POST data are strings (or arrays of strings), unless you do some conversion to a number, etc., so you should compare against '1'.

    PHP Code:
    if (isset($_POST['selectAll']) && !empty($_POST['selectAll']) && $_POST['selectAll'] == '1') { 
    Most people tend to omit the second of these tests. But we can now do:

    PHP Code:
    if ($_POST['selectAll'] && $_POST['selectAll'] == '1') { 
    where the first expressions says, effectively, "it exists and has a value"; that is, a value other than a falsy-value.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #4
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,075
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by AndrewGSW View Post
    If a checkbox is not checked then nothing at all is posted-back: the post value will not be set (or even exist).
    You may recall from the other thread you helped me on, that I seem to keep forgetting this?! (Old habits die hard!!)


    POST data are strings (or arrays of strings), unless you do some conversion to a number, etc., so you should compare against '1'.
    Not sure if I am reading too much into what you are saying, but I was told by some recently that it is better to do this...
    Code:
    <input name='selectAll' type='checkbox' value=1 />
    ...than this...
    Code:
    <input name='selectAll' type='checkbox' value='TRUE' />
    ...or this...
    Code:
    <input name='selectAll' type='checkbox' value=TRUE />

    Thoughts??



    PHP Code:
    if (isset($_POST['selectAll']) && !empty($_POST['selectAll']) && $_POST['selectAll'] == '1') { 
    Most people tend to omit the second of these tests.
    I don't follow the logic here.

    If something is "set" then it surely cannot be "empty"?!


    But we can now do:

    PHP Code:
    if ($_POST['selectAll'] && $_POST['selectAll'] == '1') { 
    where the first expressions says, effectively, "it exists and has a value"; that is, a value other than a falsy-value.
    Okay, but that is basically the same as my original post...


    If $_POST['selectAll'] == 1, then it surely is not "empty" as in my OP, and it also surely has a value as in your suggestion above, right?

    So what value does having either !empty($_POST['selectAll']) or $_POST['selectAll'] really provide?


    (In cases where you are dealing with Form values, I think all of this applies much better, but for a Check-Box in a Form which is basically binary, I don't think you need as much rigour...)


    Debbie

  • #5
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    I think you should make more use of the docs:

    The following things are considered to be empty:

    "" (an empty string)
    0 (0 as an integer)
    0.0 (0 as a float)
    "0" (0 as a string)
    NULL
    FALSE
    array() (an empty array)
    $var; (a variable declared, but without a value)
    for a Check-Box in a Form which is basically binary, I don't think you need as much rigour...
    PHP doesn't know it is a checkbox - it is just a value to PHP, and can be hijacked to embed a malicious script in its value.

    All $_POST data are initially supposed to be (according to the docs) strings. I understand that comparing to 1 rather than '1' will likely work. Personally, I won't make this assumption and I specifically cast to a number if appropriate.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #6
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    Code:
    <input name='selectAll' type='checkbox' value='1'>
    I always quote attributes and the closing back-slash / is not required in HTML5.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #7
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,075
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by AndrewGSW View Post
    I think you should make more use of the docs:
    I do, but sometimes I get things mixed up. (I didn't realize that something could be "set" and be "empty"...)


    PHP doesn't know it is a checkbox - it is just a value to PHP, and can be hijacked to embed a malicious script in its value.
    But in this code, I don't see how checking for a value other than '1' or empty really adds any value...
    PHP Code:
        if ($_POST['selectAll'] == 1){
            
    // All Messages Selected.
            
    $updateMsgArray $_POST['msgArray'];

        }elseif (
    $_POST['selectedMsgArray']){
            
    // Some Messages Selected.
            
    $updateMsgArray $_POST['selectedMsgArray'];

        }else{
            
    // No Messages Selected.
            
    $error 'Please choose a Message(s) to update.';

        } 
    I think this particular code is pretty tight and covers all cases where a hacker hacked my Form submission, right?

    But in other situations, I think your extra checks make more sense.


    All $_POST data are initially supposed to be (according to the docs) strings. I understand that comparing to 1 rather than '1' will likely work. Personally, I won't make this assumption and I specifically cast to a number if appropriate.
    Where do you cast?

    Do you have to do that in the PHP that handles the Form *after* it is submitted?


    Debbie

  • #8
    Senior Coder
    Join Date
    Apr 2011
    Location
    London, England
    Posts
    2,120
    Thanks
    15
    Thanked 354 Times in 353 Posts
    PHP Code:
    if ($_POST['selectAll'] == 1) { 
    There is nothing wrong with this I suppose , I just have my own personal preferences. You asked the question..

    I typically might use code like the following to check and perform a cast:

    PHP Code:
    if (isset($_POST['myNumber']) && is_numeric($_POST['myNumber'])) {
        
    $theNumber intval($_POST['myNumber'], 10);
    } else {
        echo 
    "Doh!";

    The main thing is to check, and sanitise, post-data (in an appropriate way) and never make assumptions about the type of value you have been sent.

    Once I've checked and sanitised the post data I move them into standard $variables. I know that they are now clean and I will drop any references to $_POST for the rest of the code.

    Of course, the burden is reduced when using prepared statements, but we still want to prevent errors on the page. Errors that might occur if we assume that the value is of a certain type, or, similarly, if we try to INSERT a wrong value-type into our database.
    "I'm here to save your life. But if I'm going to do that, I'll need total uninanonynymity." Me Myself & Irene.
    Validate your HTML and CSS

  • #9
    Senior Coder doubledee's Avatar
    Join Date
    Mar 2011
    Location
    Arizona
    Posts
    1,075
    Thanks
    26
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by AndrewGSW View Post
    PHP Code:
    if ($_POST['selectAll'] == 1) { 
    There is nothing wrong with this I suppose , I just have my own personal preferences. You asked the question..

    I typically might use code like the following to check and perform a cast:

    PHP Code:
    if (isset($_POST['myNumber']) && is_numeric($_POST['myNumber'])) {
        
    $theNumber intval($_POST['myNumber'], 10);
    } else {
        echo 
    "Doh!";

    The main thing is to check, and sanitise, post-data (in an appropriate way) and never make assumptions about the type of value you have been sent.

    Once I've checked and sanitised the post data I move them into standard $variables. I know that they are now clean and I will drop any references to $_POST for the rest of the code.

    Of course, the burden is reduced when using prepared statements, but we still want to prevent errors on the page. Errors that might occur if we assume that the value is of a certain type, or, similarly, if we try to INSERT a wrong value-type into our database.
    Okay, so then I probably need to add something here...

    In my Form, a User checks the Private Messages that he/she wants to update, and my Form submits an array like this...

    PHP Code:
        <input id='"
                . str2htmlentities($pmID)
                . "' 
    name=selectedMsgArray["
                . str2htmlentities($pmID)
                . "
    type='checkbox' value=/> 

    When my form is submitted, I assign the array to a variable like this...

    PHP Code:
            $updateMsgArray $_POST['selectedMsgArray']; 

    Then I have my update query like this...

    PHP Code:
        foreach($updateMsgArray as $msgID => $msgValue){
            
    // Build query.
            
    $q1 "UPDATE private_msg_recipient
                    SET read_on = NULL,
                        updated_on = NOW()
                    WHERE member_id_to = ?
                    AND message_id = ?"
    ;

            
    // Prepare statement.
            
    $stmt1 mysqli_prepare($dbc$q1);

            
    // Bind variables to query.
            
    mysqli_stmt_bind_param($stmt1'ii'$sessMemberID$msgID); 

    I suppose a hacker could mess with the keys in my $updateMsgArray and thus cuase issues with the query above...

    So how would I check the keys in this array and ensure they are legitimate?!

    Thanks,


    Debbie


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •