pahunrepublic Posted July 22, 2010 Share Posted July 22, 2010 Hi everyone! I have a hard time with this one. If anyone can help with this. I am so close to the solution but I guess I'm missing something here. First of all let me give you the whole code: <?php include_once 'dbinfo.php'; if(isset($_POST['kuldes'])) { $name = trim($_POST['nev']); $username = $_POST['felh_nev']; $password = $_POST['jelszo']; $email = $_POST['email']; $phone = $_POST['telefon']; $gender = $_POST['sex']; $hobby = $_POST['hobby']; for($i = 0; $i < count($hobby); $i++) { $h = $hobby[$i];} //MySQL Injection protection $name = strip_tags($name); $name = stripslashes($name); $username = strip_tags($username); $email = strip_tags($email); $phone = strip_tags($phone); //$memip = $_SERVER['REMOTE_ADDR']; $date = date("d-m-Y"); if($name == NULL || $username == NULL || $password == NULL || $email == NULL || $phone == NULL || $gender == NULL) { echo "Please complete the form below or one of the boxes is empty."; } else { if(strlen($username) <= 3 || strlen($username) >= 30){ $final_report.="Your username must be between 3 and 30 characters.."; } else { $select_dbase="SELECT * FROM users WHERE username='$username'"; $result=mysqli_query($connect, $select_dbase); if(mysqli_num_rows($result) != 0) { $final_report.="The username is already in use!"; } else { if(strlen($password) <= 6 || strlen($password) >= 12){ $final_report.="Your password must be between 6 and 12 digits and characters.."; } else { if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){ $final_report.="Your email address was not valid.."; } else { if(!eregi("^[0-9]{1,3}-[0-9]{1,3}-[0-9]{1,10}$",$phone)){ $final_report.="Phone number is invalid. Only numbers with hyphen. Allowed format: countrycode-areacode-phonenumber"; } else { if(!isset($hobby)){$final_report.="Youd didn't select any hobbies";} else { $insert_dbase = 'INSERT INTO users(name,sex,email,phone_number,username,password,hobby) VALUES("' . $name . '","' . $gender . '","' . $email . '", "' . $phone . '","' . $username . '","' . md5($_POST['jelszo']) . '","'. $h .'")';//PHP MYSQl development p.316 mysqli_query($connect,$insert_dbase); header("Location: login_form.php"); exit; }}}}}}}} ?> <h1>Registration Form</h1> <form action="<?php echo $_SERVER['PHP_SELF']; ?>" name="registration_form" method="POST"> <p>Name: <input type="text" name="nev" value="<?php echo (isset($name) ? $name : ''); //ha $name változó meg lett adva akkor írja ki amit beírt ha nem akkor ''?>" size=25></p> <p>Username: <input type="text" name="felh_nev" value="<?php echo (isset($username) ? $username : ''); ?>" size=10></p> <p>Password: <input type="password" name="jelszo" size=10></p> <!--<p>Password again:<input type="password" name="password_confirmation"></p>--> <p>E-mail: <input type="text" name="email" value="<?php echo (isset($email) ? $email : ''); ?>"/></p> <p>Phone number: <input type="text" name="telefon" value="<?php echo (isset($phone) ? $phone : ''); ?>"/></p> <p>Sex: <label><input type="radio" name="sex" value="no">Female</label> <label><input type="radio" name="sex" value="ferfi">Male</label></p> <p>Favorite hobbies (Using CTRL you can select more than one):</p> <select name="hobby[]" size="4" multiple> <option value="sport">Sport</option> <option value="movies">Movies</option> <option value="hiking">Hiking</option> <option value="reading">Reading</option> </select> <!-- <p>Other message:</p> <textarea name="megjegyzes" cols="40"></textarea> <p><input name="reg_felt" type="checkbox" value="elfogad" checked>I accept the terms!</p>--> <p><input name="kuldes" type="submit" value="Submit form"> <input name="reset" type="reset" value="delete"></p> <table width="501" border="1"> <tr> <td><?php echo $final_report; ?></td> </tr> </table> <p> </p> </form> As you can see. It's a registration form. It works except the multi-select box part: $hobby = $_POST['hobby']; for($i = 0; $i < count($hobby); $i++) { $h = $hobby[$i];} <p>Favorite hobbies (Using CTRL you can select more than one):</p> <select name="hobby[]" size="4" multiple> <option value="sport">Sport</option> <option value="movies">Movies</option> <option value="hiking">Hiking</option> <option value="reading">Reading</option> </select> When user select only one hobby it records it in the database without any problem: BUT when user selects more than one hobbies (with CTRL) than in database it records only the first one selected. My question is the following: How can I make it that various hobbies appear in database? I mean it should record not just only one value. In the database in users table the 'hobby' field type is VARCHAR, no null, no attributes, no AUTO_INCREMENT, Quote Link to comment Share on other sites More sharing options...
DavidAM Posted July 22, 2010 Share Posted July 22, 2010 for($i = 0; $i < count($hobby); $i++) { $h = $hobby[$i];} This is replacing the hobby value in $h each time you go through the loop. So you only get the last value in the array. If you are trying to build a comma-delimited list, the easiest way is to get rid of the loop and use implode() $hobby = $_POST['hobby']; $h = implode(',' $hobby); Notice: You are using the $_POST values without any validation or protection. This can leave you open to sql injection attacks as well as possible xss attacks. For SQL protection, look at mysql_real_escape(). For the xss, you need to validate the contents of the fields. Just because you put a SELECT list on the form with the name 'hobby' does not mean that the user submitted something from that list. It is very easy to send something completely unexpected. This applies to ALL input from the browser. Quote Link to comment Share on other sites More sharing options...
pahunrepublic Posted July 22, 2010 Author Share Posted July 22, 2010 Thank you DavidAM. It works. I haven't heard about this implode() function. I was also trying out different alternatives without using this implode(), but with no luck. I used foreach ($hobby as $h){$h = $hobby[$i];} or simply $ h = $hobby[$i]; It just leaves the 'hobby' field empty or puts 'Array' in the field. Also thanx for the notice About protection: As you can see I used some strip_tags() and stripslashes () but it seems not to be enough. I'll check out what I need to put more protection. Quote Link to comment Share on other sites More sharing options...
DavidAM Posted July 22, 2010 Share Posted July 22, 2010 I didn't notice the strip_tags() you had in there. That will help with the xss. But you really need the mysql_real_escape(). The other way to do the loop would be: // Original code for($i = 0; $i < count($hobby); $i++) { $h = $hobby[$i]; } // As I said this REPLACES the value so you end up with the last one // It would be the same as this one line $h = end($hobby); // Correct way $h = ''; // Start with an empty string for($i = 0; $i < count($hobby); $i++) { $h .= $hobby[$i]; } // Or, if you are not sure the indexes are sequential $hList = ''; foreach($hobby as $h) { $hList = $hList . $h; } // The dot-equal operator is the short form -- these two statements are the same $hList = $hList . $h; $hList .= $h; Overall, I think implode is faster and simpler to code. The separation string can be more than one character (or it can be empty): $hobby = array('coding', 'sleeping', 'drinking'); $h = implode(' and ', $hobby); // gives: coding and sleeping and drinking $h = implode('', $hobby); // gives: codingsleepingdrinking Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.