So I am trying to create a school portal, and right now i am trying to find a way to add students to my existing classes. I can successfully add classes, and view them, but when I try to add students to them, it all goes wrong. This is the page that shows my existing classes in a table, and on the right I have the option to add students to that class. It takes the class ID, and adds it to the url of the next page(addtoclass.php)
<?php
//including the database connection file
include_once("connection.php");
//fetching data in descending order (lastest entry first)
$result = mysqli_query($conn, "SELECT * FROM class INNER JOIN yeargroup ON class.yeargroup_id=yeargroup.id INNER JOIN section ON class.section_id=section.id INNER JOIN subject ON class.subject_id=subject.ID INNER JOIN teacher ON class.teacher_id=teacher.ID ORDER BY yeargroup_id ASC, section_id ASC"); // using mysqli_query instead
?>
<html>
<head>
<title>View class</title>
</head>
<body>
<table width='80%' border=0>
<tr bgcolor='#CCCCCC'>
<td>ID</td>
<td>Class Name</td>
<td>Teacher </td>
<td>Yeargroup</td>
<td>Subject</td>
<td>Section</td>
<td>Manage </td>
</tr>
<?php
//while($res = mysql_fetch_array($result))
while($res = mysqli_fetch_array($result)) {
echo "<tr>";
echo "<td>".$res['class_id']."</td>";
echo "<td>".$res['classname']."</td>";
echo "<td>".$res['surname']."</td>";
echo "<td>".$res['yeargroup_description']."</td>";
echo "<td>".$res['subject_description']."</td>";
echo "<td>".$res['section_description']."</td>";
echo "<td>Add students | View current students</td>";
}
?>
</table>
</body>
So now, in the next page, I use $id=$_GET['id'] to retrieve the ID from the URL, and ideally I would then add the students the admins select from the dropdown menu into the class with the ID from the url.
include "connection.php";
$id= $_GET['id'];
$query = "SELECT * FROM student";
$result= mysqli_query($conn, $query);
// $query1 = "SELECT id FROM class WHERE id='$id'";
// $result1= mysqli_query($conn,$query1);
// echo $result1;
?>
<!DOCTYPE html>
<html>
<head>
<title>SSWL Portal</title>
<link rel="stylesheet" type="text/css" href="style.css">
</head>
<body>
<form action="addtoclass.php" method="POST">
<div>
<label>Student</label>
<select name="student">
<option selected="true" disabled="disabled"> Select one from below...</option>
<?php
while ($rows=mysqli_fetch_assoc($result)) {?>
<option value="<?php echo $rows['ID']?>"><?php echo $rows['name'].$rows['surname']?></option>
<?php
}?>
</select> <br>
<button type="sumbit" name="btnAddstudent" class="float" value ="btnAddstudent">Add New Student</button>
</div>
</form>
Logout
</body>
<?php
if (isset($_POST["btnAddstudent"])) {
$student= $_POST["student"];
$query2= "INSERT INTO student_class (student_ID,class_ID) VALUES '($student','$id')";
if (!mysqli_query($conn,$query2))
{
echo "error";
}
else
{
echo "success";
}
}
?>
When I select the students from the dropdown menu and press the 'Add new student' button, I get the error
"Notice: Undefined index: id in C:\xampp\htdocs\sswl\admin\addtoclass.php on line 4".
Is there a better way to do what I am trying to do, or to keep the $id from the url from before I press the button?
Any help would be appreciated. Thank you.
I will also link a picture of my database below.
You have to add id in to your form action like this:
...
<form action="addtoclass.php?id=<?php echo $id; ?>" method="POST">
...
Your code is vulnerable for SQL injections. I advice you to use
prepared statements in case when you need to perform an SQL queries.
Hope it helps.
It seems query string id was not defined appropriately.
<form action="addtoclass.php?id=$id" method="POST">
Change code in while loop to:
echo "<td>Add students | View current students</td>";
Related
I'm currently building a simple CRUD application and decided it would be a nice feature to directly query the database from the browser (i.e from an HTML table) and display ('Read') the results from that particular query.
However, I've been doing some reading and it seems this would essentially be an SQL injection and is something to be avoided. Apparently, it is NOT normal practice to ask a user to input an SQL statement.
Despite this, I've been trying to add this feature to experiment with my code but the SQL statement provided by the HTML form is not being executed.
To recap:
My form in index.php asks the user for an SQL statement.
This is then processed by read.php, which retrieves the SQL statement with the superglobal $_POST['submitsql'] ('submitsql' is just the name of the form's submit button) and queries the database with the query() method. It also displays a message with _$_SESSION[''] superglobal.
From index.php: (form where the user inputs SQL statement)
<form action ="read.php" method ="post">
SQL statement: <input type="text" name="sql_stat">
<button type= 'submit' name = 'submitsql'>Query</button>
</form><br>
read.php (retrieves SQL statement and queries the database)
<?php
include ('server.php');
if(!isset($_SESSION)){
session_start();
}
if(isset($_POST['submitsql'])){
$sql = $_POST['sql_stat'];
$results = $conn->query($sql);
$conn->close();
$_SESSION['message'] = "Query successfully sent: ".$sql;
header('location: index.php');
}else{
$sql = "SELECT * FROM `Students` ORDER BY `degree`";
$results = $conn->query($sql);
$conn->close();
}
?>
For some reason, the message containing the SQL statement is correctly displayed but the database is not queried and all the records are shown (in a table in index.php).
I hope I'm making sense here. My code was working fine when read.php was querying the database directly as opposed to retrieving the SQL statement from the HTML form in index.php. Apologies if I'm not expressing myself correctly.
If it makes any difference, here is the entire index.php:
<?php
include('server.php');
include('create.php');
include('read.php');
include('delete.php');
?>
<!DOCTYPE html>
<html>
<head>
<title>CRUD PROJECT</title>
<meta charset="utf-8"/>
</head>
<body>
<h1>CRUD project</h1>
<h4>Query the database:</h4>
<form action ="read.php" method ="post">
SQL statement: <input type="text" name="sql_stat">
<button type= 'submit' name = 'submitsql'>Query</button>
</form><br>
<?php
if(isset($_SESSION['message'])){
echo $_SESSION['message'];
session_unset();
session_destroy();
}
?>
<table border = '1' cellpadding = '10' >
<tr>
<th>Student ID</th><th>Degree</th><th>Grade</th><th>Graduation Year</th>
</tr>
<tr>
</tr>
<?php
if($results->num_rows>0){
while($row = $results->fetch_assoc()){
echo "<tr><td>".$row['student_id']."</td>";
echo "<td>".$row['degree']."</td>";
echo "<td>".$row['grade']."</td>";
echo "<td>".$row['graduation_year']."</td>";
echo "<td><a href = 'update.php?student_id=".$row['student_id']."'>Edit</a></td>";
echo "<td><a href = 'delete.php?student_id=".$row['student_id']."'>Delete</a></td>";
}
}else {
echo "NO RESULTS TO DISPLAY";
}
?>
</table>
<br>
<h2> Add new records </h2>
<form action ="create.php" method ="post">
Degree: <input type="text" name="degree"><br>
Grade: <input type="text" name="grade"><br>
Graduation year: <input type="text" name="graduation_year"><br>
<button type= 'submit' name = 'submit'>Submit</button>
</form>
</body>
</html>
And server.php where I connect to the database and initialise my variables:
<?php
//Define connection parameters
$db_server = 'localhost';
$db_user = 'root';
$db_password = 'therasmus1';
$db_name = 'University_records';
$conn = new mysqli($db_server,$db_user,$db_password,$db_name);
// Toggle error display
mysqli_report(MYSQLI_REPORT_ERROR);
// Check connection
if ($conn->connect_error) {
trigger_error('Database connection failed: ' . $conn->connect_error, E_USER_ERROR);
}
// Initialise your variables (optional - good practice)
$Degree = "";
$Grade = "";
$Graduation_year = "";
$sql = "SELECT * FROM `Students`";
$results = $conn->query($sql);
?>
All feedback is welcome. Thanks in advance.
I can see that there is an issue with your logic. You are submitting your form to read.php then preparing the $results in that file and then immediately redirecting to index.php so you never use the $results when you submit the form.
But you are also including the read.php in your index.php file. So what happens is that, you submit your form to read.php, create the $results(but never use it), redirect to index.php, in the index.php you have included read.php so now it checks if(isset($_POST['submitsql'])){ and since the request method now is not post it goes to else block:
$sql = "SELECT * FROM `Students` ORDER BY `degree`";
$results = $conn->query($sql);
$conn->close();
So the $results contains all the records of the Students table.
With this logic, no matter what you type in <input type="text" name="sql_stat">, you will always get the $sql = "SELECT * FROM Students ORDER BY degree";
The easiest way to fix this problem, is:
Submit your form to index.php. In index.php Change <form action="read.php" method="post"> to <form action="index.php" method="post">
Remove the header('location: index.php'); from read.php
This fix will solve your current problem.
I built a search form for an app and it is currently only pulling back on result at a time where there should be multiples. I am sure this is something dumb and was wondering if someone can tell me what I am doing wrong.
Here is the full code:
<?php
// php search data in mysql database using PDO
// set data in input text
$TaskId = "";
$ClientId="";
$TaskName = "";
$TaskDescription = "";
$TaskStartAt = "";
if(isset($_POST['Find']))
{
// connect to mysql
try {
$pdoConnect = new PDO("mysql:host=localhost;dbname=tt","root","root");
} catch (PDOException $exc) {
echo $exc->getMessage();
exit();
}
// id to search
//$TaskId = $_POST['TaskId'];
$ClientId = $_POST['ClientId'];
// date to search
//$DateCreated = $_POST['DateCreated'];
// mysql search query
$pdoQuery = "SELECT *
FROM tasks t
left join users u using (UserId)
left join clients cl using (ClientId)
WHERE t.isdeleted = 0 and ClientId = :ClientId";
$pdoResult = $pdoConnect->prepare($pdoQuery);
//set your id to the query id
$pdoExec = $pdoResult->execute(array(":ClientId"=>$ClientId));
if($pdoExec)
{
// if id exist
// show data in inputs
if($pdoResult->rowCount()>0)
{
echo '<table>';
foreach
($pdoResult as $rows)
{
//$TaskId = $row['TaskId'];
$ClientId = $rows['ClientId'];
// $TaskName = $row['TaskName'];
// $TaskDescription = $row['TaskDescription'];
}
echo '</table>';
}
// if the id not exist
// show a message and clear inputs
}else{
echo 'ERROR Data Not Inserted';
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Task Tracker</title>
<link rel="stylesheet" href="css/table.css" type="text/css" />
<link rel="stylesheet" href="assets/demo.css">
<link rel="stylesheet" href="assets/header-fixed.css">
<link href='http://fonts.googleapis.com/css?family=Cookie' rel='stylesheet' type='text/css'>
<script type="text/javascript">
//Display the Month Date and Time on login.
function display_c(){
var refresh=1000; // Refresh rate in milli seconds
mytime=setTimeout('display_ct()',refresh)
}
function display_ct() {
var strcount
var x = new Date()
document.getElementById('ct').innerHTML = x;
tt=display_c();
}
</script>
</head>
<body>
<header class="header-fixed">
<div class="header-limiter">
<h1>Task Tracker</h1>
<nav>
<a href="dashboard.php" class =>Dashboard</a>
<a href="addtask.php" class=>Task Management</a>
<a href="configuration.php" class =>Configuration</a>
<a href="logout.php" class =>Logout</a>
Reports & Analytics
</nav>
</nav>
</div>
</header>
<title> Query a task</title>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<form action="search.php" method="post">
<!-- Enter a Task Id : <input type="text" name="TaskId" value=""> <br><br> -->
Enter a Client Id : <input type="text" name="ClientId" value="<?php echo $ClientId;?>"><br><br>
<input type="submit" name="Find" value="Find Data">
<br> </br>
<table border="0">
<tr COLSPAN=2 BGCOLOR="lightblue">
<td>Id</td>
<td>Client</td>
<td>Task Name</td>
<td>Task Description</td>
<td>Hours</td>
<td>Date Created</td>
<td>Who Completed Task</td>
</tr>
<?php
{
if($pdoResult->rowCount()>0)
{
echo "<tr>".
"<td>".$rows["TaskId"]."</td>".
"<td>".$rows["ClientName"]."</td>".
"<td>".$rows["TaskName"]."</td>".
"<td>".$rows["TaskDescription"]."</td>".
"<td>".$rows["Hours"]."</td>".
"<td>".$rows["DateCreated"]."</td>".
"<td>".$rows["UserName"]."</td>".
"</tr>";
}
else{
echo 'No data associated with this Id';
}
}
?>
</table>
</form>
</body>
</html>
At a quick glance, it seems to be simply that you’ve split your functionalities up too much.
At the top of the page, you establish your database connection and retrieve the result set. Then you echo a table element, foreach through the PDO Statement object and assign the contents of the current row to the variable $rows. Note: the content of the current row.
Further down on the page, you echo the individual fields, using $rows['field']—but you do this outside your foreach loop. Since $rows gets repopulated everytime the loop loops around, and since you don’t destroy the variable after the loop completes, you end up at the end with a variable that still contains the last row from your result set.
You need to put the place where you actually print the contents of each individual row inside the loop that iterates through your statement object to retrieve the fields. On the other hand, you only want to do this at all if any user input has been entered at all, so the whole thing still needs to be inside the positive branch of the very first condition that checks if $_POST['Find'] is set, like in the version below.
I start out here by assigning a variable $results to be an empty string—that’s the value we’ll output if the user hasn’t sent the form at all. If $_POST['Find'] is not empty, then we search the database, iterate through the result set, create an HTML string in this loop, and store the result in the $results variable. If no rows are returned or the execute() call fails entirely, we throw an exception to be handled by an exception handler (that you will have to define at a central level, for your entire project), passing along a generic error message to be displayed to the user.
Note that I’ve also stripped out a lot of extraneous stuff and comments to make the relevant bits clearer and renamed the $rows variable to $row to make it clear that since it’s populated inside a loop, it contains one row, not all of them.
<?php
// Set the global exception handler—should of course be done
// in a global boilerplate file, rather than for each file
set_exception_handler('your_exception_handler_here');
$results = "";
if(!empty($_POST['Find']))
{
$pdoConnect = new PDO("mysql:host=localhost;dbname=tt","root","root");
$pdoConnect->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$ClientId = $_POST['ClientId'];
$pdoQuery = "SELECT *
FROM tasks t
left join users u using (UserId)
left join clients cl using (ClientId)
WHERE t.isdeleted = 0 and ClientId = :ClientId";
$pdoResult = $pdoConnect->prepare($pdoQuery);
$pdoExec = $pdoResult->execute(array(":ClientId"=>$ClientId));
if($pdoResult->rowCount()>0)
{
$results = '<table border="0">
<tr COLSPAN=2 BGCOLOR="lightblue">
<td>Id</td>
<td>Client</td>
<td>Task Name</td>
<td>Task Description</td>
<td>Hours</td>
<td>Date Created</td>
<td>Who Completed Task</td>
</tr>';
foreach ($pdoResult as $row)
{
$ClientId = $row['ClientId'];
$results .= "<tr>".
"<td>".$row["TaskId"]."</td>".
"<td>".$row["ClientName"]."</td>".
"<td>".$row["TaskName"]."</td>".
"<td>".$row["TaskDescription"]."</td>".
"<td>".$row["Hours"]."</td>".
"<td>".$row["DateCreated"]."</td>".
"<td>".$row["UserName"]."</td>".
"</tr>";
}
$results .= "</table>";
} else {
$return = '<span class="error_message">No data associated with this Id</span>');
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title>Task Tracker</title>
</head>
<body>
<title>Query a task</title>
<form action="search.php" method="post">
Enter a Client Id : <input type="text" name="ClientId" value="<?php echo $ClientId;?>"><br><br>
<input type="submit" name="Find" value="Find Data">
</form>
<?php
echo $results;
?>
</body>
</html>
I have been trying to get it so that I can assign a variable to the value that the user selects in my drop-down menu of countries. I have done this before with tables, but not drop down lists, so I'm not sure how. Ultimately, I am trying to have a new page return a table for the country selected once the user clicks the submit button, and know I need a varaiable assigned to what the user selects. Here is my code so far:
<html>
<head>
<title>test2</title>
<link href="css/style.css" rel="stylesheet">
</head>
<body>
<?php include("header.php"); ?>
<article>
<!-- This describes the choice of country name selection -->
<h1>Please select your country:</h1>
<form action='processformD.php' method='GET'>
<select name='CountryName'>
<?php
$query = "SELECT * FROM alphabetizedCountryNames;";
$result=mysqli_query($con, $query) or die ("Couldn't execute query.");
// $row = mysqli_fetch_assoc($result);
?>
<?php
while($row = mysqli_fetch_array($result))
{
extract($row);
echo "<option value='$CountryName'>$CountryName\n";
}
?>
</select>
<div class="centerthatshit"><?php echo "<p><input type='submit' value='submit' /></p>\n"; ?></div>
</form>
</article>
<?php include("footer.php"); ?>
</body>
</html>
</body>
</html>
I have an html page that loads list of hotels in a select tag from a MySQL table using PHP. The select tag is inside a form tag. Whenever I load the page, the option tags will load, but when I submit my form, the option tags never load anymore. My form's action attribute is empty, I am checking everything on the same page, but when I put another php page as action, it loads normally. Is there a way to make it load after submit while keeping my form's action empty?
Here is my code
<?php
require_once 'db.php';
$db = DB::get_instance();
if(isset($_POST['search'])) {
$hotel = $_POST['hotel_list'];
$db->query("SELECT * FROM hotels WHERE Name='$hotel'");
$hotel = $db->result()->current();
$hid = $hotel['Hid'];
$db->query("SELECT * FROM rooms WHERE Hid='$hid'");
$rooms = $db->result();
$db->disconnect();
}
?>
<!doctype html>
<html>
<head>
<title>Display a hotel</title>
</head>
<body>
<form action="" method="post" id="dsphtl">
Name: <select name="hotel_list" form="dsphtl">
<?php
$db->query("SELECT Name FROM hotels ORDER BY Name");
foreach($db->result() as $row) {
$t = $row['Name'];
echo "<option value='$t'>$t</option>";
}
?>
</select>
<input type="submit" value="Search" name="search">
</form>
</body>
</html>
If $_POST['search'] is set, you $db->disconnect(); so it can't run the query in your form.
Take the $db->disconnect(); out of your if() statement, and put it at the end of the file.
The issue is with the disconnect, when the page reload after submit your connection to mysql lost due to
$db->disconnect();
<?php
require_once 'db.php';
$db = DB::get_instance();
if(isset($_POST['search'])) {
$hotel = $_POST['hotel_list'];
$db->query("SELECT * FROM hotels WHERE Name='$hotel'");
$hotel = $db->result()->current();
$hid = $hotel['Hid'];
$db->query("SELECT * FROM rooms WHERE Hid='$hid'");
$rooms = $db->result();
}
?>
<!doctype html>
<html>
<head>
<title>Display a hotel</title>
</head>
<body>
<form action="" method="post" id="dsphtl">
Name: <select name="hotel_list" form="dsphtl">
<?php
$db->query("SELECT Name FROM hotels ORDER BY Name");
foreach($db->result() as $row) {
$t = $row['Name'];
echo "<option value='$t'>$t</option>";
}
?>
</select>
<input type="submit" value="Search" name="search">
</form>
</body>
</html>
I'm trying to pass variables from the form to multiple pages in php
The form "rentcheck.php"
<?php require ("Connections/Project.php") ;?>
<?php session_start();?>
<title>Rent Check</title>
</head>
<body>
<form id="form1" name="form1" method="post" action="rent.php">
<table width="385" height="70" border="1">
<tr>
<td><label for="select3">Select Customer</label>
<select name="Customer_ID" id="Customer_ID">
<?php
//Select from SQL Database Table (t_customer)
$sql=mysql_query("SELECT * from t_customer");
while ($Customer = mysql_fetch_array($sql)){
echo "<option value='".$Customer['Customer_ID']."'>".$Customer['Customer_Name']."</option>";
}
?>
</select></td>
</tr>
</table>
<p>
<input type="submit" name="button" id="button" value="Submit" />
</p>
</form>
</body>
</html>
After input and Pass it to page "rent.php"
<?php
require("Connections/Project.php");
//$_SESSION['yourvariable'] = 'foo';
//$newDate = date("d-m-Y", strtotime($row_Recordset1['Customer_CC_Exp_Date']));
session_start();
$datetoday=date("Y-m-d H:i:s");
$endOfCycle=date('Y-m-d', strtotime("+30 days"));
if(isset($_GET['page'])){
$pages=array("products","cart");
if(in_array($_GET['page'], $pages)){
$_page=$_GET['page'];
}else{
$_page="products";
}
}else{
$_page="products";
}
?>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Rent</title>
</head>
<body>
<p> <?php require($_page. ".php");?>
<?php echo $_POST['Customer_ID'];?></p>
</body>
</html>
This page (rent.php) shows the value from the form.
And the third page "products.php"
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Untitled Document</title>
</head>
<?php
if(isset($_GET['action']) && $_GET['action']=="add"){
$custget=$_SESSION['Customer_ID'];
$id=intval($_GET['id']);
if(isset($_SESSION['cart'][$id][$custget])){
$_SESSION['cart'][$id]['quantity']++;
$getcust=$_SESSION['Customer_ID'];
}else{
$sql_s="SELECT * FROM t_dvd_copy
WHERE dvd_copy_id={$id}";
$query_s=mysql_query($sql_s);
if(mysql_num_rows($query_s)!=0){
$row_s=mysql_fetch_array($query_s);
$_SESSION['cart'][$row_s['dvd_copy_id']]=array(
"quantity" =>1,
"price" => $row_s['price']
);
}else{
$message="NO";
}
}
}
?>
<?php if(isset($message)) {
echo"$message"; }
//echo print_r($_SESSION['cart']); ?>
<table width="489" height="52" border="1">
<tr>
<td width="123">DVD Copy ID</td>
<td width="120">Name</td>
<td width="91">Price</td>
<td width="127">Action</td>
</tr>
<?php
$sql="SELECT *, dvd_title FROM t_dvd_copy INNER JOIN t_dvd ORDER BY dvd_title ASC";
$query=mysql_query($sql);
while($row=mysql_fetch_array($query)) {
?>
<tr>
<td><?php echo $row['dvd_copy_id']?></td>
<td><?php echo $row['dvd_title']?></td>
<td><?php echo $row['price']?></td>
<td>Add To Cart</td>
<?php
}
?>
</table>
<body>
</body>
</html>
This page (products.php) shows:
Notice: Undefined index: Customer_ID in C:\xampp\htdocs\project3\rent.php on line 39" whenever I clicked the "Add to Cart" or manually type "rent.php?=cart".
I'm trying to do is to show(Customer_ID)/pass the variables on multiple pages("products.php","cart.php").
Any suggestions or ideas?
I think your problem is that you have not started the session on the other pages.
on every php page that you want to have a session you need to put session_start(); at the top.
if you don't the session will end and empty all the data from it.
if you want to make sure what is in your session you can print it out like so:
echo "<pre>";
echo print_r($_SESSION);
echo "</pre>";
Couple of things:
You mentioned that when you clicked "Add to Cart" it didn't work. I assume you mean the button labelled "Submit" on the rentcheck.php page. Can you confirm this is right please?
You would get an error when manually navigating to rent.php?=cart as you are looking for a Customer_ID key in the $_POST array but at this point you are not posting to the server, you are performing a $_GET request.
You have referenced $_SESSION['Customer_ID'] but I cannot see in your code where you have set this (products.php 7th line of code).
I would suggest thinking through how a user might navigate through your website:
where are they likely to start?
what variables will be available to you at this point?
what will you do if the required variables do not exist (e.g. $_SESSION)?
what is the earliest point you can collect the required information (your form)?
once the form has been completed correctly, how can I make sure that the required information is retained throughout the users session?
have I continued to test on each page that my required variables are available to me?
Start with that and see where it leads you.
Looking at the code I can see that you are including products.php inside rent.php
So a couple of thoughts here:
products.php should not have HTML <head> because it will be rendered
inside the <body>
If you have a variable available in rent.php it will be available
under the same name in products.php.
So if you have in rent.php:
$customer_id = $_POST['Customer_ID'];
require('products.php');
In products.php you can use $customer_id directly.