Cannot call value from mysql - php

I've tried many times to call the values but it's failed. Maybe my code is not perfect enough.
loginprocess.php //this is the process to call the value
<?php
include("connection.php");
$noic = mysql_real_escape_string($_POST['noic']);
$katalaluan = md5(mysql_real_escape_string($_POST['katalaluan']));
$query = mysql_query("SELECT * FROM daftar_pengguna WHERE noic = '".$noic."'
AND katalaluan = '".md5."'");
$count=mysql_num_rows($query);
if($count==0)
{
echo "Tiada rekod di jumpai.<br>";
echo "<a href='index.php'>Kembali</a>";
}
else
{
$row=mysql_fetch_array($query);
echo("<script>location.href = 'carianstatuspemohonresult.php?
id=$row[noic]';</script>");
}
?>
userinfo.php //this is to display the value
<?php
include ("connection.php");
$getId=$_REQUEST["id"];
$query= "SELECT * FROM daftar_pengguna WHERE noic='$getId'";
$result=mysql_query($query);
<table width="50%" border="1" align="center">
<?php
while($row=mysql_fetch_array($result))
{
?>
<tr>
<td align="center"><b>NAMA</b></td>
<td align="center"><?php echo $row["nama"];?></td>
</TR>
<TR>
<td align="center"><b>NO IC</b></td>
<td align="center"><?php echo $row["noic"];?></td>
</TR>
<TR>
<td align="center"><b>KATA LALUAN</b></td>
<td align="center"><?php echo $row["katalaluan"];?></td>
</TR>
<TR>
<td align="center"><b>JAWATAN</b></td>
<td align="center"><?php echo $row["jawatan"];?></td>
</tr>
<tr>
<td align="center"><b>PERINGKAT</b></td>
<td align="center"><?php echo $row["peringkat"];?></td>
</tr>
<tr>
<td align="center"><b>EMAIL</b></td>
<td align="center"><?php echo $row["email"];?></td>
</tr>
<?php } ?>
</td></table>
And sorry. I'm using mysql. Hope you can help me fix them even though I'm using the mysql. Also, hope you can understand the code without understanding the malay language.
Tell me if you need to see other code.
I've changed them. It's the same result. No values called. Hmmm.. :(


You create a md5 value from a posted value, but aren't including it in your WHERE clause... Try ...
$query = mysql_query("SELECT * FROM daftar_pengguna WHERE noic = '".$noic."'
AND katalaluan = '".$katalaluan."'");


You have two while fetching data on userinfo.php file:
while($row=mysql_fetch_array($result)){ // <- Remove this one
?>
<table width="50%" border="1" align="center">
<?php
while($row=mysql_fetch_array($result))
Later in the first file use proper quotes around "noic":
echo("<script>location.href = 'carianstatuspemohonresult.php?
id=$row['noic']';</script>"); //<-- noic => 'noic'
It seems that you have to remove the first one.
EDIT: Also, you should follow the #DuaneLortie solution and use the variable you've created in your query:
$query = mysql_query("SELECT * FROM
daftar_pengguna
WHERE noic = '".$noic."'
AND katalaluan = '".$katalaluan."'");
Your code has a sintax error. md5 is a function and you are using as a variable.
You should stop using mysql_* functions since it's deprecated in PHP 5.5 and removed in PHP 7. And finally, md5 hash isn't secure for hashing passwords. Use bcrypt instead.

Related

HTML for a PHP function

I used prepared statements for my data collection. I am trying to display that data with a fetch_array function in an organized fashion. Is it possible to insert an html table into a php function that relies on a prepared statement?
I've read to use a HEREDOC, but I do not know what to do in place of the variables. I've also tried to create another document for a table, but have the same question.
This is the function I am using.
function showProfile($user) {
global $connection;
$query = "SELECT * FROM profiles WHERE user='$user'";
$result = $connection->query($query);
/* associative array */
$row = $result->fetch_array(MYSQLI_ASSOC);
printf(
"%s <br> %s\n",
$row["forename"],
$row["surname"]
) . "<br style='clear:left;'><br>";
}
This is the table I want to use
<table width="398" border="0" align="center" cellpadding="0">
<tr>
<td height="26" colspan="2">Your Profile Information </td>
</tr>
<tr>
<td width="82" valign="top"><div align="left">FirstName:</div></td>
<td width="165" valign="top"><?php echo $forename ?></td>
</tr>
<tr>
<td valign="top"><div align="left">LastName:</div></td>
<td valign="top"><?php echo $surname ?></td>
</tr>
</table>
I can display my data with the function, however, I want to display it in a more organized way.

instead of printf(), you can just echo
echo "<table width='398'> <-- check here the quote marks so the string doesnt break
<tr>
<td>".$row['forename']."</td> <- then concat all the variables you want like this
</tr>
</table>";

I have not tested but this function but it should work. I have wrapped the table rows, in a while loop, although it may not be necessary if you are getting back one row in your query.
function showProfile($user)
{
global $connection;
$query = $connection->prepare("SELECT * FROM profiles WHERE user = :user ");
$query->bindValue(':user', $user);
$result = $query->execute();
echo "<table width='398' border='0' align='center' cellpadding='0'>
<tr><td height='26' colspan='2'>Your Profile Information </td>
</tr> ";
/* associative array */
while($row = $result->fetch_array(MYSQLI_ASSOC))
{
echo "
<tr>
<td width='82' valign='top'><div align='left'>FirstName:</div></td>
<td width='165' valign='top'>{$row['forename']}</td>
</tr>
<tr>
<td valign='top'><div align='left'>LastName:</div></td>
<td valign='top'>{$row['surname']}</td>
</tr>";
}
echo "</table>";
}

As much as possible, you want to separate logic from presentation. Your table example is definitely on track. However, I would suggest thinking a little differently about the output of the function. Instead of the function returning HTML, have it return data that a view could use.
An object is much better suited for the task than a single function:
<?php
class Profile {
private $conn;
private $result;
public function __construct($conn) {
$this->conn = $conn;
}
public function findProfile($user) {
$query = “SELECT * FROM profiles WHERE user=?”;
$stmt = $this->conn->prepare($query);
$stmt->bind_param(‘s’, $user);
$stmt->execute();
$this->result = $stmt->get_result();
}
public function fetch() {
//if($row = $this->result->fetch_array(MYSQLI_ASSOC)) {
if($row = $this->result->fetch_assoc()) {
return $row;
}
return false;
}
}
Then your table can be separated into its own file, to be included whenever you wish (assuming $conn and $user are defined):
<?php
$p = new Profile($conn);
$p->findProfile($user);
?>
<!— html stuff here —>
<?php if($info = $p->fetch()): ?>
<table width="398" border="0" align="center" cellpadding="0">
<tr>
<td height="26" colspan="2">Your Profile Information </td>
</tr>
<tr>
<td width="82" valign="top"><div align="left">FirstName:</div></td>
<td width="165" valign="top"><?= $info[‘forename’] ?></td>
</tr>
<tr>
<td valign="top"><div align="left">LastName:</div></td>
<td valign="top"><?= $info[‘surname’] ?></td>
</tr>
</table>
<?php endif; ?>

MySQL query - IF statement to generate two different rows

I have some issues with below script, essentially what I'm trying to achieve is to grab different product and prices and generate a table which works fine. However, some of the products do have an extra charge, in this case the product will use three rows (price, extra charge and total sum). I'm trying to get the IF statement to work as follows: if the extra charge = 0 then it should only make a single row in the table, if more then 0 it should produce the 3 row version.
Someone have any idea what I'm doing wrong? Thanks in advance!
<?php
$page=basename($_SERVER['PHP_SELF']); /* Returns PHP File Name */
$page_name=str_replace(".php","",$page);
mysql_connect(localhost,$dbuser,$dbpass);
#mysql_select_db($database) or die( "Unable to select database");
$query= ("SELECT * FROM table e
JOIN validdate1 r ON e.datevalid1=r.id
JOIN validdate2 d ON e.datevalid2=d.id
WHERE productpage='$page_name'
ORDER BY productname,price2");
$result=mysql_query($query);
$num=mysql_numrows($result);
mysql_close();?>
<table>
<thead>
<tr>
<th class="headerdesc">Description</th>
<th class="headerprice1 rates1">2015</th>
<th class="headerprice2 rates2">2016</th>
</tr>
</thead>
<?php $i=0;while ($i < $num)
{
$productname = mysql_result($result,$i,"productname");
$price1=mysql_result($result,$i,"price1");
$price2=mysql_result($result,$i,"price2");
$extracharge1=mysql_result($result,$i,"extracharge1");
$extracharge2=mysql_result($result,$i,"extracharge2");
$daterange1=mysql_result($result,$i,"daterange1");
$daterange2=mysql_result($result,$i,"daterange2");
if ($extracharge1 > "0") {
echo " <tr>
<td class="desc"><?php echo $productname; ?></td>
<td class="price1 rates1">$<? echo $price1; ?></td>
<td class="price2 rates2">$<? echo $price2; ?></td>
</tr>
<tr>
<td class="extra">Extra Charge**</td>
<td class="price1 rates1">$<? echo $extracharge1; ?></td>
<td class="price2 rates2">$<? echo $extracharge2; ?></td>
</tr>
<tr class="lastrow">
<td class="totalprice"><strong>Total price</strong></td>
<td class="total rates1"><strong>$<? echo $price1+$extracharge1; ?></strong></td>
<td class="total rates2"><strong>$<? echo $price2+$extracharge2; ?></strong></td>
</tr>";
} else {
echo " <tr class="lastrow">
<td class="extra"><?php echo $productname; ?></td>
<td class="price1 rates1">$<? echo $price1; ?></td>
<td class="price2 rates2">$<? echo $price2; ?></td>
</tr>";
}
?>
<?php $i++;}?>
</table>

You have several error in code, change it like this, on the top below query
$num=mysql_numrows($result); will be
$num=mysql_num_rows($result);
don't close the connection since you are still performing queries below
//mysql_close(); comment it out and move it to bottom
and here you need this
if (mysql_num_rows($extracharge1) > 0 )
You are comparing string with a resource in your code
note: Don't use mysql_* functions its deprecated, use PDO or mysqli_*

PHP using mysql_fetch_array to fill a table

Ok Before you tell me to use mysqli I am using the depreciated methods on purpose for a webapp lesson. I am not a student, this is not homework, it is to help me teach an understanding for web application security.
I cannot figure out why this wont work. Basically, All I want to do is create a page that takes the data from the mysql database and places it into a table as shown. At this point I am open to anything.
Thank you in advance.
<html>
<head><title>Untitled</title></head>
<body>
<h1>Weblog Example</h1>
<dl>
<?php
mysql_connect("localhost","root","");
mysql_select_db("blog1");
$query ="SELECT entrytitle, entrytext,";
$query.=" DATE_FORMAT(entrydate, '%M %d, %Y') AS entrydate";
$query.=" FROM weblog ORDER BY entrydate DESC LIMIT 10";
$result=mysql_query($query);
?>
<table width="90%" border="0" align="center" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td width="15%" align="center" bgcolor="#E6E6E6"><strong>Title</strong></td>
<td width="75%" align="center" bgcolor="#E6E6E6"><strong>Entry</strong></td>
<td width="15" align="center" bgcolor="#E6E6E6"><strong>Date/Time</strong></td>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['entrytitle']; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['entrytext']; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows['entrydate']; ?></td>
</tr>
<?php
}
?>
</dl>
</body>
</html>
Ok- made some minor edits- it now gives me 3 rows in the table but doesn't populate the data...

Do a var_dump on $entrytitle and $entrytext and you'll understand you error.
Data is temporary stored into $rows when you do a mysql_fetch_array.
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center" bgcolor="#FFFFFF"><? echo $rows["entrytitle"]; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows["entrytext"]; ?></td>
<td align="center" bgcolor="#FFFFFF"><? echo $rows["entrytext"]; ?></td>
</tr>
<?php
}
?>

You're using the wrong variable in your while loop, you're also not referencing the correct date column from your query result.
This should give you what you're looking for:
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center" bgcolor="#FFFFFF"><?php echo $rows['entrytitle']; ?></td>
<td align="center" bgcolor="#FFFFFF"><?php echo $rows['entrytext']; ?></td>
<td align="center" bgcolor="#FFFFFF"><?php echo $rows['entrydate']; ?></td>
</tr>
<?php
}
?>

Both your $query.= should read as $query .= that alone will be an issue and will not concatenate properly because of the missing space before the dots.
You're also missing a </table> tag.
Plus, make sure that short tags are set/on, otherwise do <?php echo $rows...
instead of <? echo $rows....
You should also check for possible query errors using:
$result = mysql_query($query) or die(mysql_error());
and using error reporting.
Add error reporting to the top of your file(s) which will help find errors.
<?php
error_reporting(E_ALL);
ini_set('display_errors', 1);
// rest of your code
Sidenote: Error reporting should only be done in staging, and never production.
I also suggest you switch to mysqli with prepared statements, or PDO with prepared statements, they're much safer.

If IDs from two different tables are equal, display name from another table

I'm writing a code for my little admin panel, and since I'm not that advanced of a coder, I'm experiencing some troubles with getting a name using two different tables.
Here's my code so far:
<?php
session_start();
if(!session_is_registered(myusername)){
header("location:main_login.php");
}
include 'db_connect.php';
$sql = "SELECT * FROM $tbl_name WHERE is_dead='0'";
$result=mysql_query($sql);
?>
<title>Title</title>
<center><img src="header.png"></center>
<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<td>
<table width="400" border="1" cellspacing="0" cellpadding="3">
<tr>
<? include 'menu.php';?>
</tr>
<tr>
<td align="center"><strong>ID</strong></td>
<td align="center"><strong>Unique ID</strong></td>
<td align="center"><strong>Model</strong></td>
<td align="center"><strong>Last Online</strong></td>
<td align="center"><strong>Options</strong></td>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td><? echo $rows['id']; ?></td>
<td><? if ($rows['unique_id'] == 7815684) { echo '<font color="blue"><b><u>7815684</u></b></font>'; }
elseif ($rows['unique_id'] == 2312964) { echo '<font color="blue"><b><u>2312964</u></b></font>'; }
else { echo $rows['unique_id']; } ?></td>
<td><? echo $rows['model']; ?></td>
<td align='center'><font color="green"><b><? echo $rows['last_updated']; ?></b></font></td>
<td align="center">update
</tr>
<?php
}
?>
</table>
</td>
</tr>
</table>
So what I'm trying to do is to get user name, using two tables $tbl_name and $prtalbe using their unique_id. So, if unique_id from $tbl_name equals unique_id from $prtable, I want to show user's name from $prtalbe.
I've been trying another sql query:
$sql = "SELECT * FROM $tbl_name, $prtable WHERE $tbl_name.unique_id = $prtable.unique_id;
$result=mysql_query($sql);
Then doing while loop to get it working
while($rows=mysql_fetch_array($result)){
$rows['name'];
}
and it did work actually, but it didn't want to put it right into my code, since ID from $prtable and $tbl_name are different.

Try this:
$sql = "SELECT $prtable.username FROM $tbl_name INNER JOIN $prtable ON ($tbl_name.unique_id = $prtable.unique_id)";
When you call INNER JOIN you are fetching all rows from each table and combining them given the ON condition. For more information, see this: http://www.w3schools.com/sql/sql_join_inner.asp

For loop fetch array in php

I want to delete mySQL rows with checkboxes. This is a code that should work according to someone on the internet, but some reason it doesn't for me. When I click delete it only refreshes but the row doesn't disappear. Has this something to do with my ID in the table?
<body>
<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password="*****"; // Mysql password
$db_name="test"; // Database name
$tbl_name="deviation"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
$sql="SELECT * FROM $tbl_name";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
?>
<table width="400" border="0" cellspacing="1" cellpadding="0">
<tr>
<td><form name="form1" method="post" action="">
<table width="400" border="0" cellpadding="3" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<td bgcolor="#FFFFFF"> </td>
<td colspan="4" bgcolor="#FFFFFF"><strong>Delete multiple rows in mysql</strong> </td>
</tr>
<tr>
<td align="center" bgcolor="#FFFFFF">Åtgärda</td>
<td align="center" bgcolor="#FFFFFF"><strong>Chassinummer</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Problem detail</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Fault code</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Position</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Help object</strong></td>
<td align="center" bgcolor="#FFFFFF"><strong>Operation step</strong></td>
</tr>
<?php
while($rows=mysql_fetch_array($result)){
?>
<tr>
<td align="center" bgcolor="#FFFFFF"><input name="checkbox[]" type="checkbox" id="checkbox[]" value="<?php echo $rows['id']; ?>"></td>
<td bgcolor="#FFFFFF"><?php echo $rows['chassi']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['problem_detail']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['fault_code']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['fault_code']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['position']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['help_object']; ?></td>
<td bgcolor="#FFFFFF"><?php echo $rows['operation_step']; ?></td>
</tr>
<?php
}
?>
<tr>
<td colspan="5" align="center" bgcolor="#FFFFFF"><input name="delete" type="submit" id="delete" value="Delete"></td>
</tr>
<?php
**$checkbox = $_POST['checkbox'];**
**$delete = $_POST['delete'];**
// Check if delete button active, start this
if($delete){
for($i=0;$i<$count;$i++){
$del_id = $checkbox[$i];
**$sql = "DELETE FROM $tbl_name WHERE id='$del_id'";**
$result = mysql_query($sql);
}
// if successful redirect to delete_multiple.php
if($result){
echo "<meta http-equiv=\"refresh\" content=\"0;URL=deletetable.php\">";
}
}
mysql_close();
?>
</table>
</form>
</td>
</tr>
</table>
</body>

There are certain things I want to direct your attention towards:
1) There are a number of lines in PHP enclosed in nonsensical double-asterisks. I'm shocked the PHP actually ran through those.
2) You have a $result defined within the global scope at the top of your script (where it was given a resource pointer from mysql_query()). This means that at the bottom, where you check for if($result), that check will always come to true (unless there were syntactic errors). This also means that the page will always refresh when you click submit regardless of whether the deletion actually happened.
As I've mentioned in the comments, that code is (frankly speaking) a piece of crap. It's vulnerable to SQL injection, the code doesn't actually do what it's supposed to do, it's using deprecated attributes and functions... The failure of the code to do what you want isn't because of the IDs in your table, it's because of the broken, non-functioning code you copied off the Internet.

Don't iterate over whole table
Replace this
for($i=0;$i<$count;$i++){
$del_id = $checkbox[$i];
**$sql = "DELETE FROM $tbl_name WHERE id='$del_id'";**
$result = mysql_query($sql);
}
with
if(isset($_POST['checkbox']) && is_array($_POST['checkbox')){
foreach($_POST['checkbox'] as $id){
$id = (int)$id;
$sql = "DELETE FROM $tbl_name WHERE id='$id'";
$result = mysql_query($sql);
}
}

Categories