Multiple Page Form

**bld44** · 05-03-2007, 04:09 PM

Need to make a multiple page PHP form here to submit everything into a row in my database. Here's what I've got so far:

Quote:

<?php
session_start();

//mysql connection info removed

$id = $_REQUEST['id'];
switch($id) {

case '1':
echo "
Page 1<br>
<form action='db.php?id=2' method='post'>
<input type='text' name='fname'/>
<input type='submit' name='submit' value='Submit'>
</form>
";
break;

case '2':
$_SESSION['fname'] = $_POST['fname'];

echo "
Page 2<br>
<form action='db.php?id=3' method='post'>
<input type='text' name='lname'/>
<input type='submit' name='submit' value='Submit'>
</form>
";
break;

case '3':
$_SESSION['lname'] = $_POST['lname'];

echo "Page 3.. Confirm Results<br>";
echo $_SESSION['fname'];
echo $_SESSION['lname'];
break;

}

// Then use a query to insert all session values into my DB
?>

There's no way this can be even remotely secure. What can I do to beef it up some?

**nmallare** · 05-03-2007, 05:26 PM

It'd insert into the database after the first submit, and then use UPDATE <tablename> via MySQL to change the rest of the row's entry.

Nick

**bld44** · 05-03-2007, 09:27 PM

True, but isn't there a chance of updating the wrong row?

**nmallare** · 05-03-2007, 09:52 PM

Well, you can do one of two things:

[1] Each step, put an <input type="hidden" ... /> field in each <form></form> block containing the file ID.
[2] Put the file ID right into the address bar <form action="filename.php?file=$fileID ... > ... </form>.

Then, use that to manipulate the right entry in the database.

Nick

**bld44** · 05-03-2007, 09:59 PM

Another concern with using insert/update is partial applications.

Quote:

Well, you can do one of two things:

[1] Each step, put an <input type="hidden" ... /> field in each <form></form> block containing the file ID.
[2] Put the file ID right into the address bar <form action="filename.php?file=$fileID ... > ... </form>.

Then, use that to manipulate the right entry in the database.

Nick

1) Its quite a lengthy form, and that would be way too much code to use hidden inputs.
2) By file ID, you mean the session id associated with that entry? The problem with that is that you could potentially manipulate every entry in the database. If that's not what you meant, then I don't have a clue.. please clarify

**nmallare** · 05-03-2007, 10:06 PM

If you want security, use a hidden input tag .. scratch the "get" idea.

If you don't want to use hidden fields, use sessions. You cannot manipulate a variable using sessions, unless you have access to do $_SESSION['variablename'] == whatever. And for added security, name your <input /> tags differently than your session variables.

Nick

**bld44** · 05-03-2007, 11:14 PM

Ok, great. Thanks.