What Values get submitted with this Form?

doubledee · 01-29-2013, 03:41 AM

When the following Form gets submitted...

PHP Code:


			
<fieldset id='requestChoices'>

    <input name='friendRequestDecision[38]' type='hidden' value='0' />



    <input id='Requestor1_1' name='friendRequestDecision[38]' type='radio' value='0' checked='checked' />

    <label for='Requestor1_1'>Decide Later</label>



    <input id='Requestor1_2' name='friendRequestDecision[38]' type='radio' value='1'  />

    <label for='Requestor1_2'>Accept</label>



    <input id='Requestor1_3' name='friendRequestDecision[38]' type='radio' value='2'  />

    <label for='Requestor1_3'>Decline</label>

</fieldset>

1.) What values get returned to my script?

2.) Is the first "hidden" field part of $_POST ?

3.) And is there a conflict between name='friendRequestDecision[38]' in my Hidden Input and in my Regular Inputs?

I put var_dump in my code and got this...

Code:

array
  'friendRequestDecision' => 
    array
      38 => string '1' (length=1)
      1 => string '1' (length=1)
  'submit' => string 'Update Requests' (length=15)

...but it still seems like the Hidden Input might be lingering out there?!

All of these questions are centered around SECURITY and making sure I check for the right values in the right places so that a hacker can't sneak in something bad?!

Sincerely,

Debbie

P.S. When I test the above code, it appears to be working okay as far of what is echoed on the screen and what gets updated in my database, but I figured I better check with the gurus here!!

jalex718 · 01-29-2013, 04:36 AM

When you set your input's name to anything containing [] in it, php picks it up as a mufti dimensional array, causing your output issue, use another delimiter such as varname_23 or you could do this...

PHP Code:


			
<?php
print_r($_POST);
print_r(MultiArrayToSingle($_POST));
function MultiArrayToSingle ($array)
{
    $my_post_vars = array();
    foreach ($array as $key => $value)
    {
        if(is_array($value))
        {
            foreach($value as $k => $v)
            {
                $my_post_vars[$key."_".$k] = $v;    
            }
        }
        else
        {
            $my_post_vars[$key] = $value;    
        }
    }
    return $my_post_vars;
}
?>

here was my result

From the $_POST variable
Array
(
[friendRequestDecision] => Array
(
[38] => 1
)

[button] => Submit
)

After $_POST was ran though my function
Array
(
[friendRequestDecision_38] => 1
[button] => Submit
)

Fou-Lu · 01-29-2013, 02:51 PM

You cannot share the same name with non-toggleable inputs. Radio and checkbox are fine as they require the same name in order to determine successful field groups. The hidden will be overwritten by the radio group following it. See your var dump results, you have selected accept for friendRequestDecision[38] and friendRequestDecision[1].
So to answer your question, yes both get submitted. But only the latter one is successful. I'm not sure why you want that hidden field though; even if no option is selected, it would be presumable that you cannot pass a non-existent id into a query to update. If you cannot do that, than it is implicitly ignored.
So in other words, the hidden input is useless.