ALLOWING VISITOR TO SET WHERE VALUES FROM MASTER VALUES LIST - Feb 15th, 2013


For this example I wanted my client to be able to filter the Exhibition records displayed by choosing possible
project_title 'where' values from a pre-determined list of Exhibition titles. This would insure that all the requests
were consistent when filtering the records to be shown, and would keep all the possible values in a CMSB table, instead
of needing to hard code them into the viewer code.

I also wanted to make sure that I was not creating a security risk as described by Dave Edis from Interactive Tools, who
said:

"By passing a letter (or word or code, it doesn't matter) and testing for that instead of just specifying the order by
in the option value directly, you won't allow users to pass
MySQL directly into your program and create a security risk."

To accomplish this task, I created a multi-record editor called master_exhiibtion_list which has only one text field
called title. This way each allowed Title was in it's own record.

Then in the head of my viewer, (with a lot of help from Jason Sauchuck from Interactive Tools), I inserted the following
code:


<?php
list($master_exhibition_listRecords, $master_exhibition_listMetaData) = getRecords(array(
'tableName' => 'master_exhibition_list',

));
?>

<?php
$numToName = array();
foreach (
$master_exhibition_listRecords as $record){
$numToName[$record['num']] = $record['title'];


}
?>

<?php
$where = "";
?>

<?php foreach ($master_exhibition_listRecords as $record): ?>

<?php if (@$FORM['where'] == $record['num']) { $where = $record['title'];}?>
<?php endforeach; ?>


<?php
list($client_uploadsRecords, $client_uploadsMetaData) = getRecords(array(
'tableName' => 'client_uploads',
'where' => " project_title = '$where'",

));
?>


Then for the form that selects the values (again with a lot of help from Jason) I used:



<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>">

<select name="where">
<option value=""><span class="body-text-bold">Select</span></option>
<?php foreach($numToName as $num => $name): ?>
<option value="<?php echo $num;?>"><?php echo $name;?></option>
<?php endforeach?>
</select>

<input type="submit" name="submit" value="Select An Exhibition And Click To View">
</form>




The materials on this web site have been created for use with CMS Builder content management software. CMS Builder software is published and licensed for use by InteractiveTools.com. Please contact Interactive Tools for information on the downloading of the software or the purchasing of licenses.


Terms of Service