[RESOLVED] ForEach error

Printable View

Jun 14th, 2007, 11:09 PM
dclamp

[RESOLVED] ForEach error

i am using a foreach to delete messages according to their id, stored in an array. It is from a form checkbox called "delete". Here is my code:

PHP Code:

$delete = array(); $delete = $_POST['delete']; foreach($delete as $messid) { //$delete1 is a $_GET... if ($delete1!="delete") { #MOVE TO TRASH CAN $sql = "UPDATE `messages` SET folder='trash' WHERE mess_id='$messid'"; $query = mysql_query($sql); echo "Messages Was Sent To Trash Can!"; } else { #DELETE MESSAGE $sql = "DELETE FROM `messages` WHERE mess_id='$messid'"; $query = mysql_query($sql); echo "Message Was Deleted!"; } }

i have also tried:

PHP Code:

$delete = array($_POST['delete'];

the error is:

Code:

Warning: Invalid argument supplied for foreach() in /home/jphendr/public_html/includes/delete_message.php on line 26

Line 26 is where foreach() is.
Jun 15th, 2007, 01:31 AM
visualAd

Re: ForEach error

$_POST['delete'] is not an array. This is why you get the warning. Use print_r to check the variable is an array.

You are NOT escaping your variables before insetring them into SQL queries. I am sure I have mentioned the importance of this to you before.
Jun 15th, 2007, 09:59 AM
dclamp

Re: ForEach error

i was using {} then i sent it to my friend to see if he could fix it and he sent it back like that. I forgot to put back the {}.

If i select 2 checkboxes, and I use Print_r is only shows one of the selected checkboxes

EDIT:

can you only have one number in an array?
Jun 15th, 2007, 10:10 AM
dclamp

Re: ForEach error

ah i fixed it!

on the form the checkbox was named "delete[]" and i was doing $_POST['delete[]'] instead of $_POST['delete']

problem solved :)
Jun 15th, 2007, 10:23 AM
penagate

Re: [RESOLVED] ForEach error

Quote:

Originally Posted by dclamp

i was using {} then i sent it to my friend to see if he could fix it and he sent it back like that. I forgot to put back the {}.

You are still not escaping the variable contents in any case. If someone sent a POST request with a value like "' OR true" they could delete all the records in the table. You must at least escape the data and should really use parameterised queries (using a data access library such as mysqli, MDB2 or PDO).

If you are relying on magic quotes to escape the POST data for you then that is another problem which will cause you other issues. Magic quotes should always be off.