MySQL & PHP - select/option lists and showing data to users that still allows me to generate queries

StackOverflow https://stackoverflow.com/questions/2541643

  •  23-09-2019
  •  | 
  •  

Question

Sorry for the unclear title, an example will clear things up:

TABLE: Scenario_victories

ID  scenid        timestamp      userid side    playdate
1   RtBr001   2010-03-15 17:13:36   7     1     2010-03-10
2   RtBr001   2010-03-15 17:13:36   7     1     2010-03-10
3   RtBr001   2010-03-15 17:13:51   7     2     2010-03-10

ID and timestamp are auto-insertions by the database when the other 4 fields are added.

The first thing to note is that a user can record multiple playings of the same scenario (scenid) on the same date (playdate) possibly with the same outcome (side = winner). Hence the need for the unique ID and timestamps for good measure.

Now, on their user page, I'm displaying their recorded play history in a <select><option>... list form with 2 buttons at the end - Delete Record and Go to Scenario

My script takes the scenid and after hitting a few other tables returns with something more user-friendly like:

  (playdate)   (from scenid)        (from side)
#########################################################
# 2010-03-10  Road to Berlin #1 -- Germany, Hungary won #
# 2010-03-10  Road to Berlin #1 -- Germany, Hungary won #
# 2010-03-10  Road to Berlin #1 -- Soviet Union won     #
#########################################################
     [Delete Record]              [Go To Scenario]

in HTML:

<select name="history" size=3>
  <option>2010-03-10  Road to Berlin #1 -- Germany, Hungary won</option>
  <option>2010-03-10  Road to Berlin #1 -- Germany, Hungary won</option>
  <option>2010-03-10  Road to Berlin #1 -- Soviet Union won</option>
</select>

Now, if you were to highlight the first record and click Go to Scenario there is enough information there for me to parse it and produce the exact scenario you want to see. However, if you were to select Delete Record there is not - I have the playdate and I can parse the scenid and side from what's listed, but in this example all three records would have the same result.

I appear to have painted myself into a corner. Does anyone have a suggestion as to how I can get some unique identifying data (ID and/or timestamp) to ride along on this form without showing it to the user?

PHP-only please, I must be NoScript compliant!

Was it helpful?

Solution

You can set a value attribute on your options, and make it contain the ID (which is unique) of your data :

<select name="history" size=3>
  <option value="1">2010-03-10  Road to Berlin #1 -- Germany, Hungary won</option>
  <option value="2">2010-03-10  Road to Berlin #1 -- Germany, Hungary won</option>
  <option value="3">2010-03-10  Road to Berlin #1 -- Soviet Union won</option>
</select>

Then, when receiving the data that's been posted, $_POST['history'] will contain the ID that correspond to the entry choosen by the user.

And, as this ID is unique, you can use to identify, without any doubt, your data.


The content of the value attribute, when set, is passed to the server when the form is submitted -- it's not displayed to the user.

When no value is set for an option, the browser will pass the content of that option to the server, when the form is submitted -- which is what you were getting.

As a sidenote : as with everything submitted from a user, you must check that the value received for $_POST['history'] is valid, safe, and all that -- it should be an integer, it should be one one the values the user can access, ...

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top