NYCPHP Meetup

[Brian Kaney]

Daniel Convissor wrote:
> Hi, uh, whatever your name is:
> 
> On Thu, Apr 13, 2006 at 08:58:36AM -0700, Linux Rocks wrote:
> 
>>while( $row = mysql_fetch_array( $category ) )
>>{
>>  echo( "<tr><td>" . $row['expenses_cat_desc'] . 
>>       "</td><td><input type=text name=expense_cat" .
>>$row['expenses_cat_number'] . ("</td></tr>");
>>
>>}
> 
> 
> Your coding style and security practices are abysmal.  You need to 
> quote the HTML attribute values and escape the database output:
> 
> while($row = mysql_fetch_array($category)) {
>    echo '<tr><td>' . htmlspecialchars($row['expenses_cat_desc'])
>        . '</td><td><input type="text" name="expense_cat'
>        . htmlspecialchars($row['expenses_cat_number'])
>        . '" value="" /></td></tr>' . "\n";
> }
> 
> 

And the markup is not really semanticly sound.  I hate mixing markup 
with code, but you may want to consider:

while($row = mysql_fetch_array($category)) {
     echo '<tr><td><label for="'
         . htmlspecialchars($row['expenses_cat_number'])
         . '">'
         . htmlspecialchars($row['expenses_cat_desc'])
         . '</label>'
         . '</td><td><input type="text" name="expense_cat'
         . htmlspecialchars($row['expenses_cat_number'])
         . '" id="'
         . htmlspecialchars($row['expenses_cat_number'])
         . '" value="" /></td></tr>' . "\n";
}


Or even using a definition list, if you want to be super accessible:

echo '<dl>';

while($row = mysql_fetch_array($category)) {
     echo '<dt><label for="'
         . htmlspecialchars($row['expenses_cat_number'])
         . '">'
         . htmlspecialchars($row['expenses_cat_desc'])
         . '</label>'
         . '</dt><dd><input type="text" name="expense_cat'
         . htmlspecialchars($row['expenses_cat_number'])
         . '" id="'
         . htmlspecialchars($row['expenses_cat_number'])
         . '" value="" /></dd>' . "\n";
}

echo '</dl>';




-- 
Brian Kaney [ brian at vermonster.com ]

Vermonster LLC. [ http://www.vermonster.com ]
312 Stuart St. 2nd Fl.  Boston, MA  02116  US

Direct: +1 617 960-3554
Mobile: +1 617 312-0826