So these are my codes. The id in my case is a varchar(consists of number, symbol and char). When I entered a numeric ID, I can edit the information. But when the id entered is not fully numeric, the system says " Unknown column '618XRWCG' in 'where clause'"
this is updateforecast.php
<?php
}
// connect to the database
include('connect.php');
// check if the form has been submitted. If it has, process the form and save it to the database
if (isset($_POST['submit']))
{
// confirm that the 'id' value is a valid integer before getting the form data
if (is_numeric($_POST['id']))
{
// get form data, making sure it is valid
$id = $_POST['id'];
$min = mysql_real_escape_string(htmlspecialchars($_POST['min']));
$max = mysql_real_escape_string(htmlspecialchars($_POST['max']));
$sapuk = mysql_real_escape_string(htmlspecialchars($_POST['sapuk']));
$sapus = mysql_real_escape_string(htmlspecialchars($_POST['sapus']));
$sapasia = mysql_real_escape_string(htmlspecialchars($_POST['sapasia']));
$sapmex = mysql_real_escape_string(htmlspecialchars($_POST['sapmex']));
$penuk = mysql_real_escape_string(htmlspecialchars($_POST['penuk']));
$penus = mysql_real_escape_string(htmlspecialchars($_POST['penus']));
$penasia = mysql_real_escape_string(htmlspecialchars($_POST['penasia']));
$penmex = mysql_real_escape_string(htmlspecialchars($_POST['penmex']));
// check that firstname/lastname fields are both filled in
if ($min == '' || $max == '')
{
// generate error message
$error = 'ERROR: Please fill in all required fields!';
//error, display form
renderForm($id, $min, $max, $sapuk, $sapus, $sapasia, $sapmex, $penuk, $penus, $penasia, $penmex, $error);
}
else
{
// save the data to the database
mysql_query("UPDATE forecast SET Min='$min', Max='$max', sapUK='$sapuk', sapUS='$sapus', sapAsia='$sapasia', sapMex='$sapmex', penUK='$penuk', penUS='$penus', penAsia='$penasia', penMex='$penmex' WHERE Partnumber='$id'")
or die(mysql_error());
// once saved, redirect back to the view page
header("Location: viewforecast.php");
}
}
else
{
// if the 'id' isn't valid, display an error
echo 'Error!';
}
}
else
// if the form hasn't been submitted, get the data from the db and display the form
{
// get the 'id' value from the URL (if it exists), making sure that it is valid (checing that it is numeric/larger than 0)
if (isset($_GET['id'])&& $_GET['id'] > 0)
{
// query db
$id = $_GET['id'];
$result = mysql_query("SELECT * FROM forecast WHERE Partnumber=$id")
or die(mysql_error());
$row = mysql_fetch_array($result);
// check that the 'id' matches up with a row in the databse
if($row)
{
// get data from db
$min = $row['Min'];
$max = $row['Max'];
$sapuk = $row['sapUk'];
$sapus = $row['sapUS'];
$sapasia = $row['sapAsia'];
$sapmex = $row['sapMex'];
$penuk = $row['pendingUK'];
$penus = $row['pendingUS'];
$penasia = $row['pendingAsia'];
$penmex = $row['pendingMex'];
// show form
renderForm($id, $min, $max, $sapuk, $sapus, $sapasia, $sapmex, $penuk, $penus, $penasia, $penmex, '');
}
else
// if no match, display result
{
echo "No results!";
}
}
else
// if the 'id' in the URL isn't valid, or if there is no 'id' value, display an error
{
echo 'Error!';
}
}
?>
This is viewforecast.php
<?php
include('connect.php');
$result = mysql_query("SELECT * FROM forecast")
or die(mysql_error());
echo "<table border='1' id = 'frmnew' cellpadding='10'>";
echo "<tr>
<th rowspan='2'><center><b>Part Number</b></center></th>
<th rowspan='2'><center><b>Minimum Quantity</b></center></th>
<th rowspan='2'><center><b>Maximum Quantity</b></center></th>
<th colspan='4' scope='colgroup'><center>SHIP AGAINST PO</center></th>
<th colspan='4' scope='colgroup'><center>FORECAST FROM VARIOUS REGIONS PENDING FOR INTERCO PO</center></th>
</tr>
<tr>
<th scope='col'><center>UK</center></th>
<th scope='col'><center>US</center></th>
<th scope='col'><center>ASIA</center></th>
<th scope='col'><center>MEXICO</center></th>
<th scope='col'><center>UK</center></th>
<th scope='col'><center>US</center></th>
<th scope='col'><center>ASIA</center></th>
<th scope='col'><center>MEXICO</center></th>
</tr>";
// loop through results of database query, displaying them in the table
while($row = mysql_fetch_array( $result )) {
// echo out the contents of each row into a table
echo "<tr>";
echo '<td>' . $row['Partnumber'] . '</td>';
echo '<td>' . $row['Min'] . '</td>';
echo '<td>' . $row['Max'] . '</td>';
echo '<td>' . $row['sapUK'] . '</td>';
echo '<td>' . $row['sapUS'] . '</td>';
echo '<td>' . $row['sapAsia'] . '</td>';
echo '<td>' . $row['sapMex'] . '</td>';
echo '<td>' . $row['pendingUK'] . '</td>';
echo '<td>' . $row['pendingUS'] . '</td>';
echo '<td>' . $row['pendingAsia'] . '</td>';
echo '<td>' . $row['pendingMex'] . '</td>';
echo '<td>Edit</td>';
echo '<td>Delete</td>';
echo "</tr>";
}
// close table>
echo "</table>";
?>
<p>Add a new record</p>
</body>
</html>
The previous error i stated was when i entered an id with no symbol. When i enter an id with symbols, the symbol and the character after it is hidden or something.
Please help
Your code is vulnerable to SQL Injection. You should use PDO like suggested by #IncredibleHat
Edit your updateforecast.php code select query you passed id without string change this .
$result = mysql_query("SELECT * FROM forecast WHERE Partnumber='$id'")
Related
I have this below code but failing at getting it to delete the record, think i may be missing something.
<?php
//Open Database
class MyDB extends SQLite3
{
function __construct() {
$this->open('Name.db');
}
}
$db = new MyDB();
if(!$db){
echo $db->lastErrorMsg();
}
//Select the Name Table
$sql =<<<EOF
SELECT * FROM Name;
EOF;
$ret = $db->query($sql);
// Display The Data In a Table
echo "<table border='1' cellpadding='10'>";
echo "<tr><th>First name</th> <th>Last Name</th> <th>Gender</th> <th></th>
<th></th></tr>";
while($row = $ret->fetchArray(SQLITE3_ASSOC) ){
echo "<tr>";
echo '<td>' . $row['FirstName'] . '</td>';
echo '<td>' . $row['LastName'] . '</td>';
echo '<td>' . $row['Gender'] . '</td>';
echo '<td>Delete
</td>';
echo "</tr>";
}
// check for id to be set and if it is delete the matching row from database
if (isset($_GET['id']))
{
// puts the id value in the variable
$id = $_GET['id'];
// delete the entry
$db->exec("Delete FROM Name WHERE VALUES TeamName=$id;");
header("Location: name.php");
} else {
header("Location: name.php");}
$db->close();
?>
Is there something im missing as it still wont delete the entire row from the db file. It displays the table perfect just fails to delete the matching id Record.
Other delete querie i have tried is
$db->exec("Delete FROM Name (FirstName, LastName, Gender) WHERE VALUES
FirstName=$id;");
You cannot delete some of the values, you can either update them or just delete the entire row.
Try
$db->exec("DELETE FROM Name WHERE TeamName=$id;");
and the other thing you need to do for safety is to escape the $id variable, otherwise it's trouble waiting to happen.
1) check whether the user you are using has the delete permission.
2)$db->exec("DELETE FROM Name WHERE TeamName = '".$id."'");
I have two pages, the first shows all items from a particular field in a MySQL database:
DatabaseEntries.php
<?php
include('connect.php');
$result = mysqli_query($db, "SELECT * FROM names")
or die(mysqli_error($db));
echo "<table border='1' cellpadding='10'>";
echo "<tr> <th>Firstname</th> <th>lastname</th> <th>Email</th><th></th> ";
while($row = mysqli_fetch_array( $result )) {
// echo out the contents of each row into a table
echo "<tr>";
echo '<td>' . $row['firstname'] . '</td>';
echo '<td>' . $row['lastname'] . '</td>';
echo '<td>' . $row['email'] . '</td>';
echo '<td>Delete</td>';
echo "</tr>";
}
?>
the second page contains the delete function:
Delete.php
<?php
include('connect.php');
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['email']) )
{
// get id value
$email = $_GET['email'];
// delete the entry
$result = mysqli_query($db, "DELETE FROM names WHERE email=$email")
or die(mysqli_error($db));
// redirect back to the view page
header("Location: DatabaseEntries.php");
}
else
// if id isn't set, or isn't valid, redirect back to view page
{
header("Location: Error.php");
}
?>
I get the following error when trying to delete an item from the database:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '#gmail.com' at line 1
Can anyone tell me why? and what to do to fix it?
Thanks
Add quotes around the $email
DELETE FROM names WHERE email='$email'
I'm creating a small private forum to get some more knowledge about PHP/PDO etc. Now I have a weird bug/error/wrong piece of code that is not showing the echo. This is my code.
$sql2 = $db->prepare('SELECT topic_id, topic_subject,topic_date,topic_cat FROM topics WHERE topic_cat = :topid');
$sql2->bindParam(':topid', $_GET['id'], PDO::PARAM_INT);
$sql2->execute();
$result2 = $sql->rowCount();
if($result2 === FALSE){
echo 'The topics could not be displayed, please try again later.';
}
elseif ($result2 === 0){
echo 'There are no topics in this category yet.';
} else {
//prepare the table
echo '<table border="1">
<tr>
<th>Topic</th>
<th>Created at</th>
</tr>';
while($row = $sql2->fetch()) {
echo '<tr>';
echo '<td class="leftpart">';
echo '<h3>' . $row['topic_subject'] . '<br /><h3>';
echo '</td>';
echo '<td class="rightpart">';
echo date('d-m-Y', strtotime($row['topic_date']));
echo '</td>';
echo '</tr>';
}
}
It should show the echo at while($row = $sql2->fetch()), but it is not. Also I know there is not enough { and } but that's because the other part of the code is not relevant.
You appear to count the rows returned by $sql then loop through $sql2. Have you checked to see if there are any results in $sql2?
This is my first post, but I have found this forum to be very useful! I hope you can help me.
My conundrum is this: I have users log on and then rate each other. Once a user logs in, I want them to be able to see the ratings they made (this one I got working - the reviews I can select by a unique id generated by a form) and also see a summary of the ratings that they have received. This is where it seems to get tricky. I tried an inner join but it didn't produce any results.
Right now I have this part up above my html
<?php
include "connect.php";
if(isset($_COOKIE['ID_my_site']))
{
$username = $_COOKIE['ID_my_site'];
$pass = $_COOKIE['Key_my_site'];
while($info = mysql_fetch_array( $check ))
{
//if the cookie has the wrong password, they are taken to the login page
if ($pass != $info['password'])
{
header("");
}
//otherwise they are shown the admin area
else
{
echo "";
echo "";
}
}
}
else
//if the cookie does not exist, they are taken to the login screen
{
header("");
}
include "settings.php";
?>
And this part after my html
<?php
include('connect.php');
$result = mysql_query("SELECT r.user, r.rating1, r.rating2, r.rating3, u.username
FROM reviews r INNER JOIN users u ON r.user=u.username
WHERE r.user='$userid' ORDER BY r.user DESC")
or die(mysql_error());
echo "<table border='1' cellpadding='10'>";
echo "<tr>
<th></th>
<th>View Comments</th>
<th>Rating 1</th>
<th>Rating 2</th>
<th>Rating 3</th>
</tr>";
while($row = mysql_fetch_array( $result )) {
echo "<tr>";
echo '<td>View/Print</td>';
echo '<td>' . $row['rating1'] . '</td>';
echo '<td>' . $row['rating2'] . '</td>';
echo '<td>' . $row['rating3'] . '</td>';
echo "</tr>";
}
echo "</table>";
?>
Unfortunately, I don't get any results at all, though I see about 20 ratings for this person in the sql table.
It's also throwing a "Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in reviews.php on line 19" error.
There's probably a stupid mistake in there, but I'm getting codeblind and frustrated.
Thank you for any help!
if this is line 19:
while($row = mysql_fetch_array( $result )) {
echo "<tr>";
echo '<td>View/Print</td>';
echo '<td>' . $row['rating1'] . '</td>';
echo '<td>' . $row['rating2'] . '</td>';
echo '<td>' . $row['rating3'] . '</td>';
echo "</tr>";
}
you should use the position of the values inside the array like 1,2,3 .. and so on , not ratings1 ,ratings2 .. and so on.
EDIT: This is what I am trying to achieve: http://i.imgur.com/KE9xx.png
I am trying to display the results from my database in two columns. I'm a bit new to PHP so I haven't the slightest clue on how to do this. Can anybody help me with this? Thanks in advance.
Here is my current code:
include('connect.db.php');
// get the records from the database
if ($result = $mysqli->query("SELECT * FROM todo ORDER BY id"))
{
// display records if there are records to display
if ($result->num_rows > 0)
{
// display records in a table
echo "<table width='415' cellpadding='0' cellspacing='0'>";
// set table headers
echo "<tr><td><img src='media/title_projectname.png' alt='Project Name' /></td>
<td><img src='media/title_status.png' alt='Status'/></td>
</tr>";
echo "<tr>
<td><div class='tpush'></div></td>
<td> </td>
</tr>"
while ($row = $result->fetch_object())
{
echo "<tr>";
echo "<td><a href='records.php?id=" . $row->id . "'>" . $row->item . "</a></td>";
echo "<td>" . $row->priority . "</td>";
echo "</tr>";
}
echo "</table>";
}
// if there are no records in the database, display an alert message
else
{
echo "No results to display!";
}
}
// show an error if there is an issue with the database query
else
{
echo "Error: " . $mysqli->error;
}
// close database connection
$mysqli->close();
A good idea would be storing your data into a simple array and then display them in a 2-columned table like this:
$con = mysql_connect('$myhost', '$myusername', '$mypassword') or die('Error: ' . mysql_error());
mysql_select_db("mydatabase", $con);
mysql_query("SET NAMES 'utf8'", $con);
$q = "Your MySQL query goes here...";
$query = mysql_query($q) or die("Error: " . mysql_error());
$rows = array();
$i=0;
// Put results in an array
while($r = mysql_fetch_assoc($query)) {
$rows[] = $r;
$i++;
}
//display results in a table of 2 columns
echo "<table>";
for ($j=0; $j<$i; $j=$j+2)
{
echo "<tr>";
echo "<td>".$row[$j]."</td><td>".$row[$j+1]."</td>";
echo "</tr>";
}
echo "</table>";
mysql_close($con);
<table>
<tr>
<td>ProjectName</td>
<td>Status</td>
<td>ProjectName</td>
<td>Status</td>
</tr>
<?php
while($row = $result->fetch_object()) {
echo "<tr>";
echo "<td>".$row->ProjectName."</td>";
echo "<td>".$row->Status."</td>";
echo "<td>".$row->ProjectName."</td>";
echo "<td>".$row->Status."</td>";
echo "</tr>";
}
?>
</table>
This is the thing on picture. With a bit CSS you can manipulate the tds.
Your function should look similar to this:
$query = "SELECT *
FROM todo
ORDER BY id";
$result = $mysqli->query($query);
while($row = $result -> fetch_array()) {
$feedback .= "<tr>\n<td>" . $row['item'] . "</td><td>" . $row['priority'] . "</td>\n</tr>";
}
return $feedback;
Then, in your HTML have the <table> already setup and where you would normally insert your <td> and <tr> put <?php echo $feedback?> (where $feedback is the assumed variable on the HTML page that retrieves the $feedback from the function). This isn't a complete fix, your code is hard to read, but by starting here, you should be able to continue on the path filling in all the extra information you need for the table, including your CSS.