-1

I have a webpage in which users select whether they are either available (=1) (beschikbaar) or unavailable (=0) on a certain date, which are provided in a list.

I'm using radio-buttons to make sure users can't select available AND unavailable for the same date, however. As long as users actually enter whether they're available or not, the code works fine. My problem occurs when the users don't enter anything, as then, because of the hidden field, all empty dates in the list are sent to the database with value 0.

I need the hidden field to make sure the user entries and dates are actually matched, but it seems to be the cause of the aforementioned issue. Could somebody shed light on what I might do to solve this?

le code:

<?php 
if(isset($_POST['beschikbaarheid'])) {
mysql_connect("localhost", "****", "****")or die("cannot connect to server");
mysql_select_db("****")or die("cannot select db"); 


 $UserID = $_POST['UserID'];
 $beschikbaarheid = $_POST['beschikbaarheid'];
 $Datum = $_POST['Datum'];


 foreach ($_POST['Datum'] as $date){
$index = strftime('%d%m%y',strtotime($date));
$beschikbaarheid = (isset($_POST['beschikbaarheid'][$index]) && ($_POST['beschikbaarheid'][$index] == 1 ))?1:0;
mysql_query("INSERT INTO `Werkdagen` (`UserID`, `Datum`, `bevestigd`, `invuldatum`, `beschikbaarheid`) VALUES ('$UserID', '$date', FALSE, NOW(), '$beschikbaarheid')");

-

 <?php 
setlocale(LC_TIME, 'dutch');
date_default_timezone_set("Europe/Amsterdam");

$two = strtotime('+1 weeks'); $date = time(); while ($date <= $two) {
    echo "<li class=".strftime('%A',$date) . "><input name='Datum[]' type='hidden'  id='".strftime('%A %e %B %Y',$date) . "' value='".strftime('%Y-%m-%d',$date)."'><input  name='beschikbaarheid[".strftime('%d%m%y',$date) . "]' type='radio' value='1'><input    name='beschikbaarheid[".strftime('%d%m%y',$date) . "]' type='radio' value='0'>".strftime('%A %e     %B %Y',$date) . "</li>";
$date += 86400;

}

user3692149
  • 21
  • 5
  • 1
    Either start with one pre-selected or use some validation to make sure they check at least on of them. – Jim May 30 '14 at 17:58
  • 2
    **Building SQL statements with outside variables makes your code vulnerable to SQL injection attacks.** Also, any input data with single quotes in it, like "O'Malley", will blow up your query. Learn about parametrized queries, preferably with the PDO module, to protect your web app. [This question](http://stackoverflow.com/questions/60174) has many detailed examples. See also http://bobby-tables.com/php for alternatives & explanation of the danger. **Running SQL statements built with outside data is like eating soup made from ingredients found on your doorstep.** – Andy Lester May 30 '14 at 17:59
  • As Lester said, generate SQL statement with inside data through a condition based on outside data, that way you will get control over what goes into the query. And sanitize all the inputs prior to MySQL insertion if you have to use outside data. – Tim Zhukov-Khovanskiy May 30 '14 at 18:05

1 Answers1

0

First I would sanitize input, even though it is a radio button. In Chrome I could enter all sorts of nasty things under radio button values and send it over to the database. And drop it maybe.

I feel your default values are set to 0, meaning unavailable. I would do the following:

Form have radio buttons have value field as A or U for available or unavailable. Then server side filter out A or U and if you get a zero you know the field was not entered.

<input type="radio" id="r1" name="rate" value="A">Available</input>
<input type="radio" id="r1" name="rate" value="U">Unavailable</input>

Then serverside you will have

if($_POST['r1'] == "A") //Set available
else if($_POST['r1'] == "U") //Set unavailable
else if($_POST['r1'] == 0 || !isset($_POST['r1']) ) //Untouched entry field, something wrong

Is this what you're trying to do? Filter out selected entries vs untouched ones?

Tim Zhukov-Khovanskiy
  • 500
  • 1
  • 9
  • 28