I have a problem. I want a Table on my page, which shows things from a MySQL DB. This works just fine:
<?php
$pdo = new PDO('mysql:host=localhost;dbname=********', '********', '********');
$sql = "SELECT subject, givenOn, toDate, teacher, what FROM homework";
echo "<table>";
foreach ($pdo->query($sql) as $row){
// echo "Fach:" . $row['subject'] . " - Lehrer:" . $row['teacher'] . " - Was: " . $row['what'] . $
echo "<tr>";
echo "<td>", $row['subject'], "</td>";
echo "<td>", $row['teacher'], "</td>";
echo "<td>", $row['what'], "</td>";
echo "</tr>";
}
echo "</table>";
?>
But I want another column behind the "what" - one which contains a Link to remove the Line. I dont know how its possible to say the Links what he has to delete. My idea was a PhP Page which has arguments like:
delete.php?subject=math&teacher=smith&what=p13
But this is very unsecure, isnt it?
Have u any Ideas how I can solve this problem?
dunklesToast
yes, it is.
1, you need to control who can delete an item, which is a rbac system.
2, delete should use POST rather than GET.
3,use PDOStatement::bindParam to prevent sql injection.
Related
I'm trying to create a button for each row in my database that, when pressed, will delete this particular row. I should also mention that the data from the database is displayed correctly and the table I'm using is also completely fine.The buttons appear at the side of each row, when the button is clicked, the row dissapears but the data is not deleted from the database, when the page is reloaded the rows that were previously "deleted", reappear. After pressing the button i also get this "Fatal error: Uncaught Error: Call to undefined function mysql_query() in C:\xampp\htdocs\INDUSTRIALPROJECT\records.php:56 Stack trace: #0 {main} thrown in C:\xampp\htdocs\INDUSTRIALPROJECT\records.php on line 56".
line 56 is : $del = mysql_query("DELETE FROM records WHERE id=" . $row['id']);. The same query works fine when placed directly into phpMyAdmin.
<?php
// Check connection
include_once 'config.php';
if ($link->connect_error) {
die("Connection failed: " . $link->connect_error);
}
$sql = "SELECT * FROM records";
$result = $link->query($sql);
function post($key){ return(isset($_POST[$key]) ? htmlspecialchars($_POST[$key]) : ""); }
if ($result->num_rows > 0) {
// output data of each row
while($row = $result->fetch_assoc()) {
if(post('rowButton'.$row['id']) =="Delete"){
$del = mysql_query("DELETE FROM records WHERE id=" . $row['id']);
$deleted = '<p>Entry ' . $row['id'] . ' was succesfully deleted</p>';
}
else {
echo '<form action ="' . $_SERVER['PHP_SELF'] . '" method="post">';
echo "<tr>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row["visitingdate"]. "</td>";
echo "<td>" . $row["department"] . "</td>";
echo "<td>" . $row["visitingreason"]. "</td>";
echo "<td>" . $row["importance"]. "</td>";
echo "<td>" . $row["visitorname"]. "</td>";
echo "<td>" . $row["company"]. "</td>";
echo "<td>". $row["internalrecipientname"]. "</td>";
echo "<td>". $row["visitinglocation"]. "</td>";
echo "<td>". $row["ETA"]. "</td>";
echo "<td>". $row["ETD"]. "</td>";
echo "<td>". $row["HRverification"]. "</td>";
echo "<td>". $row["visitcompleted"]. "</td>";
echo '<td><input type="submit" name="rowButton'. $row['id'] .'" value="Delete"/> </td>';
echo "</tr>";
echo "</form>";
}
}
echo "</table>";
echo $deleted;
}
else { echo "0 results"; }
$link->close();
?>
First, this appears to be rather vulnerable to SQL injection attacks. StackOverflow is quite font of pointing this out up front, because it's really a solved problem that you should account for in the early stages of development. You're taking untrusted data (that was submitted by the user, without sanitizing it) and putting it directly in an SQL query. Bad things can happen when that occurs. Now with that aside, on to your actual question.
"Nothing happens" means the page doesn't change at all, right? So the browser doesn't know what to do when the button is clicked.
I think you haven't put any <form...> declaration here, which would be required for <input type="submit"> to do anything useful. You could use JavaScript with the stand alone submit button, but I don't see that in your code, either. You'll need something to tell the browser what to do when the submit button is pressed.
I haven't really tested the rest of your code, but based on what you've got already you might add the following:
else {
+ echo '<form action ="' . $_SERVER['PHP_SELF'] . '" method="post">';
echo "<tr>";
and
echo "</tr>";
+ echo "</form>";
}
(don't add the plus sign, that's just to show which line is added). I should add that I don't usually use submit buttons like this, so there's a chance I missed some additional details about how you're calling this, but putting the form in a <form> tag is at least a good start.
Edit
The mysql_query() function was removed in PHP 7; if you're using an older PHP you need to add support for the MySQL functions or if you're on PHP 7, you should use the MySQLi or PDO_MySQL functions instead. The warning box on the PHP manual page for mysql_query has some links for alternatives, how to select an alternative, and other supporting documentation that may help you. This StackOverflow answer may help, as well.
I have working code but I seem to have introduced a bad bottleneck to my code. Before I go into detail, let me give you some background on what this code does. I have a table generated in PHP/HTML that shows a list of parts that are in a database (149 parts). The user can select a quantity for that item and click "Add To Cart" which all works fine.
However, I tried to spruce things up a bit by adding in a feature that only allows the user to select the quantity we actually have on hand for this product (before add this feature I previously had the max value hard coded at 100).
Now this does work, but it is TERRIBLY slow (50 seconds to load the page). However, before implementing this the page loaded immediately without a problem, therefore this is definitely a problem with the getPartQuantityOnHand() function.
I think the problem is that for every part (149) I am calling this function that then has to reconnect to the database to find the correct quantity. Does anyone see a way I can improve this? FYI, the parts are hosted on a completely separate database from where the quantity on hand for these parts are hosted.
I have left some parts out of the php code since it was unnecessary bulk for this post, I know that I am missing parts here.
getParts.php
<?php
$partList = $_SESSION['controller']->getParts();
foreach ($partList as $part) {
//Call to get the current quantity on hand for this specific part
//THIS IS WHEN THE PROBLEM WAS INTRODUCED
$quantityOnHand = $_SESSION['controller']->getPartQuantityOnHand($part->number);
//Only display this part if we have at least one on hand
if ($quantityOnHand > 0)
{
echo "<tr>";
echo "<td>" . $part->number . "</td>";
echo "<td>" . $part->description . "</td>";
echo "<td>$" . $part->price . "</td>";
echo "<td>";
echo '<input name="qty'. $part->number .'" type="number" value="1" min="1" max="' . $quantityOnHand .'"/>';
echo "</td>";
echo "</form>";
echo "</td>";
echo "</tr>";
}
}
echo "</table>";
echo "</div>";
?>
getPartQuantityOnHand()
public function getPartQuantityOnHand($partNum) {
$conn = $this->connect();
$sql = "select Quantity from ReceivingInfo where PartNumber = '$partNum'";
$stmt = $conn->prepare($sql);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_ASSOC);
$quantityOnHand = $row['Quantity'];
return $quantityOnHand;
}
Thanks for any help you can provide!
As the two databases are separate you have two options:
Determine the part numbers before you loop and generate your HTML, then query all at the same time with an IN clause:
SELECT ... WHERE PartNumber IN (1, 2, 3, 4);
Select all stock levels for your parts when you first call getPartQuantityOnHand and store that:
public function getPartQuantityOnHand($partNum) {
if(!$this->partQuantitiesOnHand) {
$conn = $this->connect();
$sql = "select Quantity, PartNumber from ReceivingInfo";
$stmt = $conn->prepare($sql);
$stmt->execute();
$rows = $stmt->fetchAll(PDO::FETCH_ASSOC);
$this->partQuantitiesOnHand = array_column($rows, 'Quantity', 'PartNumber');
}
return $this->partQuantitiesOnHand[$partNum] ?? null;
}
The disadvantage of option 2 is that if you have many more parts than are listed on a single page, it will never perform as well as option 1.
So, instead of doing a 149 different SQL queries, just do one query that brings back all the Quantity values you need.
ex.
SELECT Quantity FROM ReceivingInfo WHERE PartNumber IN ($listOfPartNums)
of course you will have to build the string $listOfPartNums
Or, if you really are always bringing back the full list of them, you can exclude the IN clause and don't need to worry about generating the string.
You'll have to change your function a bit to store the partnum/quantity pairs in an associative array.
Then in your getParts.php get the Quantity like this:
<?php
$partList = $_SESSION['controller']->getParts();
$quantityList = getQtyList(); // return assoc array of partnum/qty pairs
foreach ($partList as $part) {
//Call to get the current quantity on hand for this specific part
//THIS IS WHEN THE PROBLEM WAS INTRODUCED
$quantityOnHand = $quantityList[$part->number];
//Only display this part if we have at least one on hand
if ($quantityOnHand > 0)
{
echo "<tr>";
echo "<td>" . $part->number . "</td>";
echo "<td>" . $part->description . "</td>";
echo "<td>$" . $part->price . "</td>";
echo "<td>";
echo '<input name="qty'. $part->number .'" type="number" value="1" min="1" max="' . $quantityOnHand .'"/>';
echo "</td>";
echo "</form>";
echo "</td>";
echo "</tr>";
}
}
echo "</table>";
echo "</div>";
?>
very new to php and mysql so all help is greatly appreciated. I have tried to search the forums but not entirely sure specifically what I need to be searching for. I have a form which ask users to select a product and make a comment.
I need the information for a particular product to show on my product page instead of all of the information. (for example, I want the reviews for iPads to show on the ipad page)
This is the code that send the data to the database:
<?php
session_start();
include('connection.php');
$name=$_POST['name'];
$product=$_POST['product'];
$star=$_POST['star'];
$comment=$_POST['comment'];
mysql_query("INSERT INTO tt_review(name, product, star, comment)VALUES('$name', '$product', '$star','$comment')");
header("location: https://scm-intranet.tees.ac.uk/users/l1071039/tablet-takeover/index.html");
mysql_close($con);
?>
This is the current code to fetch the data onto my page:
<?php
include('connection.php');
$result = mysql_query("SELECT * FROM tt_review");
echo "<table border='1'>
<tr>
</tr>";
while($row = mysql_fetch_array($result)) //This function is calling the results variable and displaying them within the rows below
{
echo "<tr>"; //this code tells the page to output the table rows that are defined above
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['date'] . "</td>"; //each row is then executed using the table data function
echo "<td>" . $row['product'] . "</td>";
echo "<td>" . $row['star'] . "</td>";
echo "<td>" . $row['comment'] . "</td>";
echo "</tr>";
}
echo "</table>";
?>
This is a screenshot of the table on my webpage (as I say, I need it to only show the ipad reviews.
To select only one kind of product, you should add a where clause on your sql query:
SELECT * FROM tt_review WHERE product = 'Apple iPad'
You can give like this
"SELECT * FROM tt_review WHERE Product_name ='ipad'"
It will display only the information related to Ipad
Still If you dont understand please give me the name of the columns you used in the table
Firstly, mysql_* functions have been depreciated. Rather, use either PDO or MySQLi.
Secondly, your code is very vulnerable to SQL injection.
Thirdly, fix your select statement to the following:
SELECT * FROM tt_review WHERE product = 'ipad'
Apologies, I can't think of how to phrase this better (which has the additional problem of making it more difficult to research an answer, too). Suggestions for editing terms for clarity are more than welcome.
I am running two queries on a table in my database. The first simply returns all results within certain constraints imposed by the user - I'm echoing this out to a table with no problems at all. The second returns a COUNT and a SUM AS things, which I am having trouble accessing and echoing to the screen.
First Query -
$results = $connection->query(" SELECT `Date`, `Test`, `Errors` ... ");
while($result = $results->fetch_assoc())
{
echo "<tr>";
echo "<td>" . $result['Date'] . "</td>";
echo "<td>" . $result['Test'] . "</td>";
echo "<td>" . $result['Errors'] . "</td>";
echo "</tr>";
}
This works perfectly well. As expected, it echos out a table with the results in each row.
Second Query -
$totals = $connection-query("SELECT COUNT(*) AS Tests, SUM(`Errors`) AS TotalErrors ... ");
echo "<th>Total Tests</th>";
echo "<td>" . $totals['Tests'] . "</td>";
echo "<th>Total Errors</th>";
echo "<td>" . $totals['TotalErrors'] . "</td>";
I cannot seem to access the values in the second query to echo them to the screen.
I have tried using var_dump to ensure the query is returning results correctly, and it is. If I use var_dump($totals->fetch_assoc()); it will display array(2) { ["Tests"]=> string(2) "33" ["TotalErrors"]=> string(1) "9" }, as expected.
I'm not sure where I'm going wrong, looking at my syntax, it seems the same as when I access the values from the first query, but I'm not sure if it should be different because I am returning values AS rather than looking at field names.
Try
$results = $connection->query("SELECT COUNT(*) AS Tests, SUM(`Errors`) AS TotalErrors ... ");
$totals = $results->fetch_assoc();
echo "<th>Total Tests</th>;
echo "<td>" . $totals['Tests'] . "</td>";
echo "<th>Total Errors</th>";
echo "<td>" . $totals['TotalErrors'] . "</td>";
I'm trying to create a table with links that return a 'mf_id' value and its corresponding 'Manufacturer' value. I can do one at a time, but when I try to combine the two, problems begin to crop up. Here's what I have so far:
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Manufacturer'] . "</td>";
echo "</tr>";
}
and the other page:
$numb = $_GET['mf_id'];
$name = $_GET['Manufacturer'];
echo "<h1>$name</h1>";
$result=mysql_query("select * from Products where mf_id=$numb");
Thanks in advance!
Because you never pass Manufacturer through your querystring, the second page doesn't have access to it via GET. Also, for validity purposes, your querystring values should be passed through urlencode().
This line:
echo "<td>" . $row['Manufacturer'] . "</td>";
Should be:
echo "<td>" . $row['Manufacturer'] . "</td>";
Please Note: It may not help answer your question, but you should stop using mysql_* functions. They're being deprecated. Instead use PDO (supported as of PHP 5.1) or mysqli (supported as of PHP 4.1). If you're not sure which one to use, read this article.
UPDATE:
Per meagar's advice I learned about http_build_query(). This is definitely the way to go when writing querystrings to URLs:
$data = array('mf_id' => $row['mf_id'], 'Manufacturer' => $row['Manufacturer']);
echo "<td><a href='list.php?" . http_build_query($data) . "'>" . $row['Manufacturer'] . "</a></td>";
This doesn't make any sense at all: $row['mf_id'&&'Manufacturer']. That is not how you access two elements of an array. You're combining two strings with &&, yielding boolean true, and attempting to access $row[true]. You can't access an array that way.
If you want to use both items, you need to access them individually:
$row['mf_id'] . $row['Manufacturer']
If you want to build a query string containing these two values, you should use http_build_query which will take care of URL-encoding your data:
$query = http_build_query(array('mf_id' => $row['mf_id'], 'manufacturer' => $row['Manufacturer']));
echo '<td>' . $row['Manufacturer'] . '</td>';
Note that, if you actually just select the fields you need, you don't have to explicitly specify them in the arguments to http_build_query. If your $row already contains only mf_id and manufacturer, it would be enough to use
$query = http_build_query($row);
You're only passing mf_id into the page, you are not passing Manufacturer.
Edit (as you've changed your code)
Change:
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Manufacturer'] . "</td>";
echo "</tr>";
}
To:
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Manufacturer'] . "</td>";
echo "</tr>";
}