Hi, apologies if I''m missing something obvious...
I am dynamically generating lists in php each of which needs to be
sortable and saves the new order back to MySQL via an Ajax call.
All the parts are in place, apart from I cannot work out how to avoid
using a hard-coded element id in the PHP code to loop through the
array - it needs to be dynamically passed in.
So... code builds a series of <ul> with unique id and then:
<script type="text/javascript">
var list = frmEditShopList.getElementsByTagName(''ul'');
for(i=0;i<list.length;i++){
Sortable.create(list[i].id,
{dropOnEmpty:true,constraint:false,onUpdate:updateOrder});
}
</script>
handles the variable number of Sortable.create calls. I then make the
Ajax call to a PHP page:
function updateOrder(list){
var url = ''/common/script/update-order.php'';
var params = Sortable.serialize(list.id);
var ajax = new
Ajax.Request(url,{method:''post'',parameters:params});
}
and this is the bit I''m stuck with. I have done this before with a
single list:
$order = 1;
foreach ($_POST[''list''] as $itemid) {
$sql = "UPDATE shop_items SET item_order = $order WHERE pkShopItemID
= $itemid";
$result = do_query($sql);
$order++;
}
but how can I replace the $_POST[''list''] with a dynamic
element id? Is
there a parameter to the Ajax object that can store the id of the
submitted element??
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
rubhadubh wrote:> Hi, apologies if I''m missing something obvious... > > I am dynamically generating lists in php each of which needs to be > sortable and saves the new order back to MySQL via an Ajax call. > > All the parts are in place, apart from I cannot work out how to avoid > using a hard-coded element id in the PHP code to loop through the > array - it needs to be dynamically passed in. > > So... code builds a series of <ul> with unique id and then: > > <script type="text/javascript"> > var list = frmEditShopList.getElementsByTagName(''ul''); > for(i=0;i<list.length;i++){ > Sortable.create(list[i].id, > {dropOnEmpty:true,constraint:false,onUpdate:updateOrder}); > } > </script> > > handles the variable number of Sortable.create calls. I then make the > Ajax call to a PHP page: > > function updateOrder(list){ > var url = ''/common/script/update-order.php''; > var params = Sortable.serialize(list.id); > var ajax = new Ajax.Request(url,{method:''post'',parameters:params}); > }Just pass the id of your list as one of the params: function updateOrder(list){ var url = ''/common/script/update-order.php''; var params = Sortable.serialize(list.id); params = params + ''&list_id='' + list.id; var ajax = new Ajax.Request(url,{method:''post'',parameters:params}); }> and this is the bit I''m stuck with. I have done this before with a > single list: > > $order = 1; > foreach ($_POST[''list''] as $itemid) { > $sql = "UPDATE shop_items SET item_order = $order WHERE pkShopItemID > = $itemid"; > $result = do_query($sql); > $order++; > }And then grab the list like so foreach ($_POST[$POST[''list_id'']] as $itemid) { ... } Btw, I hope you''re real PHP code doesn''t look like that wrt to the SQL generation. That''s a classic SQL injection attack waiting to happen. -- Michael Peters Developer Plus Three, LP --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks, I just sorted the problem using the ''name'' parameter
of the
serialize object too. So the line becomes:
Sortable.serialize(list.id, {name:''list'');
and
$_POST[''list'']
Seems to have done the trick.
WRT SQL injection attack, yes, I would normally wrap the inputs in a
function that strips out any illegal characters - it would be
distracting in my posted example though. Is that the sort of thing you
had in mind?
Cheers.
On Apr 16, 5:59 pm, Michael Peters
<mpet...-aUYv5hkjw45l57MIdRCFDg@public.gmane.org>
wrote:> rubhadubh wrote:
> > Hi, apologies if I''m missing something obvious...
>
> > I am dynamically generating lists in php each of which needs to be
> > sortable and saves the new order back to MySQL via an Ajax call.
>
> > All the parts are in place, apart from I cannot work out how to avoid
> > using a hard-coded element id in the PHP code to loop through the
> > array - it needs to be dynamically passed in.
>
> > So... code builds a series of <ul> with unique id and then:
>
> > <script type="text/javascript">
> > var list =
frmEditShopList.getElementsByTagName(''ul'');
> > for(i=0;i<list.length;i++){
> > Sortable.create(list[i].id,
> > {dropOnEmpty:true,constraint:false,onUpdate:updateOrder});
> > }
> > </script>
>
> > handles the variable number of Sortable.create calls. I then make the
> > Ajax call to a PHP page:
>
> > function updateOrder(list){
> > var url = ''/common/script/update-order.php'';
> > var params = Sortable.serialize(list.id);
> > var ajax = new
Ajax.Request(url,{method:''post'',parameters:params});
> > }
>
> Just pass the id of your list as one of the params:
>
> function updateOrder(list){
> var url = ''/common/script/update-order.php'';
> var params = Sortable.serialize(list.id);
> params = params + ''&list_id='' + list.id;
> var ajax = new
Ajax.Request(url,{method:''post'',parameters:params});
>
> }
> > and this is the bit I''m stuck with. I have done this before
with a
> > single list:
>
> > $order = 1;
> > foreach ($_POST[''list''] as $itemid) {
> > $sql = "UPDATE shop_items SET item_order = $order WHERE
pkShopItemID
> > = $itemid";
> > $result = do_query($sql);
> > $order++;
> > }
>
> And then grab the list like so
> foreach ($_POST[$POST[''list_id'']] as $itemid) {
> ...
> }
>
> Btw, I hope you''re real PHP code doesn''t look like that
wrt to the SQL
> generation. That''s a classic SQL injection attack waiting to
happen.
>
> --
> Michael Peters
> Developer
> Plus Three, LP- Hide quoted text -
>
> - Show quoted text -
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Spinoffs" group.
To post to this group, send email to
rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-spinoffs?hl=en
-~----------~----~----~----~------~----~------~--~---
rubhadubh wrote:> Thanks, I just sorted the problem using the ''name'' parameter of the > serialize object too. So the line becomes: > > Sortable.serialize(list.id, {name:''list''); > and > $_POST[''list'']Yeah, that works too and is probably cleaner here with sortables.> Seems to have done the trick. > > WRT SQL injection attack, yes, I would normally wrap the inputs in a > function that strips out any illegal characters - it would be > distracting in my posted example though. Is that the sort of thing you > had in mind?In this case since a sortable returns a pretty defined set of things, input manipulation is passable. Although you should never try to strip out offending characters. Instead you should only allow legitimate characters. But that only works in cases where the input is strictly defined. If you switch to using bind params in your SQL then you have a solution that works in all cases. I''m not sure about the specifics of how to do this in PHP (I''m a Perl guy) but the concept should be basically the same. -- Michael Peters Developer Plus Three, LP --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
A bit off-topic, but... If you''re using PHP 5.1+, I''d suggest the PDO library. It''s straightforward, and widely used as a core part of PHP. http://www.php.net/manual/en/ref.pdo.php http://www.php.net/manual/en/function.PDO-prepare.php If you need something a bit more backward compatible, there are several with varying purposes/feature sets. ADODB is pretty straightforward, easy to used, and seems to be well received by developers. It''s certainly much easier than the "pre-PDO" way of doing things; it has some good convenience methods too. http://adodb.sourceforge.net/ http://phplens.com/lens/adodb/docs-adodb.htm One of my developers used Creole in the past at another company, and had good things to say. http://creole.phpdb.org/trac/ TAG On Apr 16, 2007, at 11:17 AM, Michael Peters wrote:> rubhadubh wrote: >> WRT SQL injection attack, yes, I would normally wrap the inputs in a >> function that strips out any illegal characters - it would be >> distracting in my posted example though. Is that the sort of thing >> you >> had in mind? > > In this case since a sortable returns a pretty defined set of > things, input > manipulation is passable. Although you should never try to strip > out offending > characters. Instead you should only allow legitimate characters. > But that only > works in cases where the input is strictly defined. If you switch > to using bind > params in your SQL then you have a solution that works in all > cases. I''m not > sure about the specifics of how to do this in PHP (I''m a Perl guy) > but the > concept should be basically the same.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---