[thelist] Re: PHP: Adding controls on the fly

shawn allen shawn at alterior.net
Tue Dec 31 15:39:02 CST 2002


quoth Tony Light:
> On  Mon, 30 Dec 2002, Atul wrote:
>
> <><><>><><><><><>><><><>><><><><><><><><><><><>
> I am trying to add controls (input tag) to an HTML form on the fly in PHP.
> During all this control addition, I also have to keep the existing
> information in the form flowing through it. There are several mundane
> approaches to do that. I was wondering if someone else has encountered this
> problem.I know this can be achieved easily using Java Servlets. What is the
> most effective way to accomplish this in PHP?
> <><><>><><><><><>><><><>><><><><><><><><><><><>
>
*snip*
>
> <?php
>  extract($_POST); // (or $HTTP_POST_VARS in older versions) in case register_globals is off
> ?>
> <form name="form1" method="post" action="">
>  <input type="text" name="textfield" value="<?php echo $textfield ?>">
*snip*
> </form>
>
>
> This code works - but it is probably what you had in mind when you
> talked about there being 'several mundane approaches' to solving this
> problem.

Yeah, that's a bit of a headache to maintain. You'd be much better off
building a set of functions (or a class with methods; whichever you're
more comfortable with) that returns HTML inputs, and checks for values
in $_REQUEST ($_POST is probably more appropriate) matching the inputs'
name and/or id attribute. An oversimplified example:

function input_text($name, $value='')
{
    return '<input type="text" name="' . $name .  '"' .  ' value="' .
           (isset($_REQUEST[$name]) ? $_REQUEST[$name] : $value) .
           '" />';
}

You'll obviously need to do some more work if $name takes the array form
("foo[bar]"). I've done this in the past using eval():

function get_variable_value($name, $parent='_REQUEST')
{
    list($top, $path) = preg_match('/^(\w+)(\W.*)?$/', $name);
    if ($path)
        $path = str_replace(array('[', ']'), array("['", "']"), $path);
    $var_name = sprintf('$%s[\'%s\']%s', $parent, $top, $path);
    return eval("return isset($var_name) ? $var_name : NULL;");
}

You'll definitely want to do some checking for valid variable names
before passing stuff through to eval... since we're on the topic of
security:

> Btw - extracting $_POST is not the most security conscious thing to
> do, but whether or not it is a problem for you depends on the
> application and is your call.

Yes, you should *not* do this unless you're able to contain the scope of
the "extracted" symbols (like, in a function).

> When I said 'this code works' - one exception that I know of is:
> <input type="file"> tags in IE and Netscape will not accept a value
> attribute.  Opera will.  I don't know how to get IE or Netscape to
> populate this tag.

You can't: it's another security issue. Imagine a page that sets the
default for a file input to "/etc/passwd" on a UNIX box, along with an
onmousedown handler on the body that submits the hidden form...

One solution to consider is storing the uploaded file in a temporary
directory (such as /tmp), then providing the user with radio buttons to
select either 1) a previously uploaded file (a select element which
defaults to the last uploaded file), or 2) a new file (with a single
file input).

HTH,
--
shawn allen
  mailto://shawn@alterior.net
  phone://415.577.3961
  http://alterior.net
  aim://shawnpallen




More information about the thelist mailing list