Select data from other table base on our input - php

This is my PHP file. I can't select the deadline from fyp1 where fyp1.code = $tcode (that is the input that we put). Please help.
<?php
include('inc/db.php');
if (isset($_POST['submit'])) {
$tcode = $_POST['tcode'];
$idno = $_POST['idno'];
$sname = $_POST['sname'];
$datesub = date("Y-m-d");
$sql = "SELECT * FROM fyp1";
$select = mysql_query($sql,"SELECT deadline from fyp1 where fyp1.code = '$tcode'");
$name = $_FILES['file']['name'];
$tmp_name = $_FILES['file']['tmp_name'];
if ($name && $tcode){
$Location = "S.File/$name";
move_uploaded_file($tmp_name, $Location);
$query = mysql_query("INSERT INTO submission (taskcode,idno,name,file,time,dead) VALUES ('$tcode','$idno','$sname','$name','$datesub','$select')");
header('Location:DisplayNews.php');
}else
die("Please select a file");
}
?>


Please take a look at the php devdocs!
mixed mysql_query ( string $query [, resource $link_identifier = NULL ] )
You have to remove the following lines...
$sql = "SELECT * FROM fyp1";
$select = mysql_query($sql,"SELECT deadline from fyp1 where fyp1.code = '$tcode'");
and replace them with a valid call:
$sql = "SELECT deadline ".
"FROM fyp1 ".
"WHERE code = '".mysql_real_escape_string($tcode)."' ");
Please never insert $_POST variables directly in SQL statements for security reasons!

Related

Alpha Numeric values xcannot be retrieved in PHP

I am currently working on this project. Data can be retrieved from database with this code, if certificateNumber is numeric, but it does not search person if certificateNumber field has alphanumeric data.
Where am I wrong with this?
<?php
$flag = 0;
$reg=$_REQUEST["cerf"];
echo ($reg);
$con = mysqli_connect('localhost','neoncom_db','12345','neoncom_std');
$qur = 'select * from student where certificateNumber = '.$reg;
$check = mysqli_query($con,$qur);
while($row=mysqli_fetch_array($check))
{
if($reg==$row["certificateNumber"])
{
$flag++;
$first = $row["first"];
$last=$row["last"];
$num = $row["certificateNumber"];
$name = $first ." ".$last;
$course = $row["course"];
$date = $row["signupDate"];
echo($row["certificateNumber"]);
echo($row["first"]);
echo($row["last"]);
}
}
if(count==0)
{
echo("NOT FOUND");
}
?>

You need to encapsulate $reg in quotes. So your query string $qur should be like this:
$qur = "select * from student where certificateNumber = '" . $reg . "'";
Sidenote: Learn about prepared statement because right now your query is susceptible to SQL injection attack. Also see how you can prevent SQL injection in PHP.

php mysql trying to use empty to only add a new record in table if a primary key exists in a different table

I am trying to only allow a submission via the form only if a party_id exists in a table using empty, here is my code at the moment it is still allowing everything through even if there is no party_id.
Any help would be great.
if($_SERVER["REQUEST_METHOD"]== "POST") {
$party_id = (int)$_POST["partyid"];
$name = $_POST["name"];
$date = $_POST["date"];
$length = (int)$_POST["length"];
$sql = "SELECT * FROM `party` WHERE `party_id`='" . $party_id . "'";
$res = mysqli_query($link, $sql);
if(empty($party_id)) { #Were any records found?
print '<p>No Parties with that ID found! please press the back button to select another party</p>';
} else {
$record = mysqli_fetch_assoc($res);
$party_name = $record["party_name"];
$price = $record["price"];
$cost = $price * $length;
$bookable = true;
$sql2 = "SELECT * FROM `reservations`" or die("Unable to connect to database");

A simpler way might be to just check if the query returned any results like this.
if($_SERVER["REQUEST_METHOD"]== "POST") {
$party_id = (int)$_POST["partyid"];
$name = $_POST["name"];
$date = $_POST["date"];
$length = (int)$_POST["length"];
$sql = "SELECT * FROM `party` WHERE `party_id`='$party_id'";
$res = mysqli_query($link, $sql);
if ( mysqli_num_rows($res ) == 0 ) {
print '<p>No Parties with that ID found! please press the back button to select another party</p>';
} else {
$record = mysqli_fetch_assoc($res);
$party_name = $record["party_name"];
$price = $record["price"];
$cost = $price * $length;
$bookable = true;
$sql2 = "SELECT * FROM `reservations`" or die("Unable to connect to database");

Data update without Page refresh after Select Query

Kindly pardon me if i look silly mates.
My issue is , i have a profile page which on update and submit changes the data in db. To refresh the data then, i use select query after that. Then i save it in the current session. still the changes happens only in the page where the update and select query presents . I have some pages which is been included like top bar, left nav . which changes only if i refresh the page . My code is as follows
<?php
if(isset($_POST['update'])) {
$name_t = $_POST['name'];
$email_t = $_POST['email'];
$pass_t = $_POST['password'];
$contact_t = $_POST['contact'];
$address_t = $_POST['address'];
$dob_t = $_POST['dob'];
$religion_t = $_POST['religion'];
$pic_t = ($_FILES['imagefile']['name']);
$sql = "
UPDATE teacher
SET t_name = '$name_t'
, t_email = '$email_t'
, t_password = '$pass_t'
, t_phone = '$contact_t'
, t_address = '$address_t'
, t_dob = '$dob_t'
, t_religion = '$religion_t'
where teacher_id='$update_id'
";
$retval = mysql_query($sql,$link);
if(! $retval ) {
die('Could not update data: ' . mysql_error());
}
if (!empty($_FILES['imagefile']['name'])) {
$sql = "UPDATE teacher SET t_photo = '$pic_t' where teacher_id='$update_id' ";
$retval = mysql_query($sql,$link);
$info = pathinfo($_FILES['imagefile']['name']);
$ext = $info['extension']; // get the extension of the file
$target = 'img/upload/'.$pic_t;
move_uploaded_file( $_FILES['imagefile']['tmp_name'], $target);
}
}
$result = mysql_query("SELECT * FROM teacher where teacher_id='$update_id' ",$link);
while($row = mysql_fetch_array($result)){
$name = $row['t_name'];
$email = $row['t_email'];
$password = $row['t_password'];
$contact = $row['t_phone'];
$address = $row['t_address'];
$dob = $row['t_dob'];
$religion = $row['t_religion'];
$img = WEB_URL . 'img/upload/'.$row['t_photo'];
$_SESSION['objLogin'] = $row;
}
mysql_close($link);
?>
Kindly help me in updating the included page too without refresh . Because for instance there is the username displayed at top bar .

How to prepare a MySQL query using a variable length parameter list in PHP

I've got a simple PHP script which queries a mysql database for basic user info based on the data fetched from an HTML form.
<?php
$age = $_POST['age'];
$gender = $_POST['gender'];
$dbc = mysqli_connect('localhost', 'root', 'abc123', 'mydb')
$query = "SELECT * FROM users WHERE AGE='$age' AND GENDER='$gender'";
$result = mysqli_query($dbc, $query) or die('Querying the db failed');
mysqli_close($dbc);
?>
The problem is that the user doesn't always have to pick a gender or age and as a result the query doesn't always succeed. In other words I'm looking for something like this:
//(In pseudocode)
if (only $age exists) then:
$query = "SELECT * FROM users WHERE AGE='$age'
if (only $gender exists) then:
$query = "SELECT * FROM users WHERE GENDER='$gender'
if (both $age and $gender exist) then:
$query = "SELECT * FROM users WHERE AGE='$age' AND GENDER='$gender'";
otherwise:
$query = "SELECT * FROM users"
How should I do this? (in the actual script there are way more variables than just age and gender).

Dynamically build your list of placeholders and values:
$opts = array();
$values = array();
if (isset($_POST['age']) && (strlen($_POST['age']) > 0)) {
$opts[] = 'AGE = ?';
$values[] = $_POST['age'];
}
if (isset($_POST .... etc...) {
$opts[] = 'somefield = ?';
$values[] = 'value for this field';
}
etc...
$sql = "SELECT ..."; // basic query, WITHOUT where clause
if (count($opts) > 0) {
$sql .= ' WHERE ' . implode(',', $opts); // add in dynamic where options
}
$stmt = $mysqli->prepare($sql);
$result = $stmt->execute($values); // pass in the values for the ? placeholders

Error: You have an error in your SQL syntax near '' at line 1

I keep getting this error...but yet I cannot see any syntax that is inappropriate... any ideas?
Here's my PHP code. I know my other pages are correct as I can run all other parts of the code with no issue.
<?php
// this connects To database
$hostname="";
$username="";
$password="";
$dbname="";
mysql_connect($hostname,$username,$password) OR DIE ("Connection Failed");
mysql_select_db($dbname);
$action = $_REQUEST["action"];
if ($action == 'a') {
$custFirst = null;
$custLast = null;
$custAddress = null;
$custCity = null;
$custState = null;
$custZip = null;
$custEmail = null;
$custPhone = null;
} else {
$id = $_REQUEST["id"];
$query = "select * from custTab where custNo = $id";
$result = mysql_query($query)
or die(mysql_error());
$row = mysql_fetch_array($result);
$custFirst = $row['custFirst'];
$custLast = $row['custLast'];
$custAddress = $row['custAddress'];
$custCity = $row['custCity'];
$custState = $row['custState'];
$custZip = $row['custZip'];
$custEmail = $row['custEmail'];
$custPhone = $row['custPhone'];
} // end if
?>

Try putting quotes around the $id,
$query = "select * from custTab where custNo = '$id'";

This is dangerous and wrong depending on what the custNo field contains:
$id = $_REQUEST["id"];
$query = "select * from custTab where custNo = $id";
If the id is an integer, you should use:
$id = (int) $_REQUEST["id"];
$query = "select * from custTab where custNo = $id";
Otherwise you would have to quote it and escape the variable:
$id = mysql_real_escape_string($_REQUEST["id"]);
$query = "select * from custTab where custNo = '$id'";
But you really should switch to PDO / mysqli and prepared statements to avoid this problem altogether.

Categories