I just started learning php, i have a long way to go but i really need help with this.
So I have a page where a logged in user can create tasks and that user can select the user for who the task is. I need to do an insert query where i'll need the ID of the person selected by the user who is logged in.
This is the code that's above my HTML:
$userId = $_SESSION['id'];
$Users = "SELECT * FROM users";
$Result2 = $db->query($Users);
if(isset($_POST['submit'])){
$project = $_POST['Project'];
$task = $_POST['task'];
$user = $_POST['User'];
$date = $_POST['date'];
$query = "INSERT INTO events (projectId, userId, name, date)
VALUES ('','', '$task', '$date')";
$result = $database->query($query);
echo "it worked";
}
This is the code in my HTML select tag, where the logged in user can select the person.
<?php
while ($row2 = mysqli_fetch_assoc($Result2)) {
$uid = $row2['id'];
$name = $row2['name'];
$lastName = $row2['lastname'];
echo "<option>" . $name . " " . $lastName . " " . $uid . "</option>";
}
?>
The problem is that I need to put the $uid variable, that's currently in the whileloop in my HTML select element, IN the first if statement above my HTML. I have tried everything but i cant seem to figure out how. It perfectly shows all of the users and their ID numbers, I just need to grab them and put them in my if statement.
Your <option>tags are surely in a <select> tag. You have to give a name to your select, and that name will be the POST parameter name you can use in your PHP server-side code.
Also, you have to assign a value attribute to each option.
Your HTML print procedure become
<?php
echo '<select name="uid">';
while ($row2 = mysqli_fetch_assoc($Result2)) {
$uid = $row2['id'];
$name = $row2['name'];
$lastName = $row2['lastname'];
echo "<option value='".$uid."'>" . $name . " " . $lastName . " " . $uid . "</option>";
}
echo '</select>';
?>
and you PHP server-side code become
$userId = $_SESSION['id'];
$Users = "SELECT * FROM users";
$Result2 = $db->query($Users);
if(isset($_POST['submit'])){
$project = $_POST['Project'];
$task = $_POST['task'];
$user = $_POST['User'];
$date = $_POST['date'];
$uid = $_POST["uid"];
$query = "INSERT INTO events (projectId, userId, name, date) VALUES ('','', '$task', '$date')";
$result = $database->query($query);
echo "it worked";
}
If you're learning PHP, I advise to start correctly. Never access your superglobal parameters $_GET and $_POST directly without sanitize your inputs. Use some functions like filter_input()
Related
Hi I am building a blog using html and php and have run into a problem with my sql. In my blog I would like to show all the comments that have been put in by users in the comments section that have the same article ID. In my database I am saving these parameters via $_POST and a query ID, ArticleID, Comments. However only the last comment that has been inserted in the database with that articleID is showing up.
this is the code that I am using. Can anyone help me please?
if(isset($_POST['submit']))
{
$comment = htmlentities($_POST["comment"]);
$articleID = $_GET['artId'];
$query = "INSERT INTO tbl_comments (comment, ArticleID) VALUES ('$comment', $articleID)";
$result = mysqli_query($connection, $query) or die("Error in query: ". mysqli_error($connection));
}
$query1 = "SELECT * FROM tbl_comments WHERE ArticleID = $artId";
$result1 = mysqli_query($connection, $query1) or die("Error in query: ". mysqli_error($connection));
while($row = mysqli_fetch_assoc($result1))
{
$articleId = $row['ArticleID'];
$comment = $row['comment'];
}
if(isset($comment))
{
echo "<div class='comments'>";
if (isset($comment))
{
echo "<div class='commentName'>";
echo $comment;
echo "</div>";
}
change
while($row = mysqli_fetch_assoc($result1))
{
$articleId = $row['ArticleID'];
$comment = $row['comment'];
}
to:
$comment = '';
while($row = mysqli_fetch_assoc($result1))
$comment .= $row['comment'] . '<br/>';
i have this code im working on im trying to output this :
{
title:"<?php echo $sender_fullname; ?>",
mp3:"link",
},
using this in php to display it in javascript
//database include
require_once "db.php";
//get email from session
$email = $_SESSION['username'];
//fetch user fullname and id based on session
$name_query = mysql_query("SELECT fullname,id FROM users WHERE email = '$email'");
$name = mysql_fetch_object($name_query);
//fecth sender id, receiver id, audioclip, fullname and email
$query = "SELECT m.sender,m.receiver, m.audioclip, u.fullname, u.email
FROM `users` AS u
JOIN `messages` AS m ON m.receiver = u.id
WHERE u.email = '".$email."'";
$result = mysql_query($query);
here's the loop what should i do to output the same
while(
$row = mysql_fetch_assoc($result)) {
$sender = $row['sender'];
$sender_name_query = mysql_query("SELECT fullname FROM users WHERE id = '$sender'");
$sender_name = mysql_fetch_object($sender_name_query);
$sender_fullname = $sender_name->fullname;
echo '{<br/>title:".'$sender_fullname'.",<br/>mp3:"link",<br/>},';
}
you can do some like :
while(
$row = mysql_fetch_assoc($result)) {
$sender = $row['sender'];
$sender_name_query = mysql_query("SELECT fullname FROM users WHERE id = '$sender'");
$sender_name = mysql_fetch_object($sender_name_query);
$sender_fullname = $sender_name->fullname;
echo '{<br/>title:".'$sender_fullname'.",<br/>mp3:"link",<br/>},';
print "<script>alert(\"$sender_fillname\")</script>";
}
and then the code into the script tag run like javascript code if you wants puts the value of a php variable into a javascript variable you can do :
<?
$mivar = "hola mundo";
print "<script>";
print "var mivar = \"$mivar\"";
print "</script>";
?>
The best way to get php into javascript is to use JSON via php's json_encode.
$rows = array();
while($row = mysql_fetch_assoc($result)) {
$sender = $row['sender'];
$sender_name_query = mysql_query("SELECT fullname FROM users WHERE id = '$sender'");
$sender_name = mysql_fetch_object($sender_name_query);
$sender_fullname = $sender_name->fullname;
$row['sender'] = $sender_fullname;
$rows[] = $row;
}
echo "<script type='text/javascript'>";
echo "var rows = " . json_encode($rows) . ";";
echo "</script>";
The error is caused by the last line:
echo '{<br/>title:".'$sender_fullname'.",<br/>mp3:"link",<br/>},';
It should be this:
echo '{<br/>title:"' . $sender_fullname . '",<br/>mp3:"link",<br/>},';
Note 1
You can write this:
$sender_fullname = $sender_name->fullname;
echo '{<br/>title:"' . $sender_fullname . '",<br/>mp3:"link",<br/>},';
easily as:
echo '{<br/>title:"' . $sender_name->fullname. '",<br/>mp3:"link",<br/>},';
Note 2
Please, don't use mysql_* functions in new code. They are no longer maintained and are officially deprecated. See the red box? Learn about prepared statements instead, and use PDO, or MySQLi - this article will help you decide which. If you choose PDO, here is a good tutorial.
from http://brightmeup.info/comment.html
Please help me with this issue in my script. At the point of the INSERT query $article_id returns 0, while actually it is a value that is not 0 (1, 2, 3).
I have tried to echo out $article_id at various points of the code and it actually echoed out what i wanted. But once i tried to echo it after the
isset($_POST['submit']) it does not echo out anything.
I have also checked the type i declared in the MySQL table....int. But still insert 0 into the database.
Please where could the problem be?
Thank you for your time and patience.
$page_name = 'about';
$id = "";
if (isset($_GET['id']))
{
$id = $_GET['id'];
$past1 = mysql_query("SELECT *
FROM about
WHERE about_id = '".$id."' ");
$row = mysql_fetch_array($past1);
echo "<p>" .$row['about_head']."</p>";
echo $row['about_content'];
$article_id = $row['about_id'] ;
$query6 = mysql_query("SELECT c.comment_body, c.comment_date
FROM comment AS c
INNER JOIN about AS ac ON c.article_id = ac.about_id
WHERE c.article_id = '".$article_id."'
AND page_name = '".page_name."'");
while ($comment = mysql_fetch_assoc($query6))
{
echo "<b>Comment:</b> " . $comment['comment_body'] . "<br/>" ;
echo "<b>Date of Comment:</b> " . $comment['comment_date'];
echo "<br/>" ;
echo "</div>";
}
}
if (isset($_POST['submit']))
{
$comment_body = mysql_real_escape_string($_POST['comment_body']);
if (($comment_body == "")
{
echo "<div class=\"error\" >" ;
echo "One/More Empty Field";
echo "</div>";
}
else
{
$query = "INSERT INTO comment (comment_id, article_id, username, page_name,
comment_body, comment_date)
VALUES (NULL, '".$article_id."', '".$_SESSION['logged_username']."',
'".$page_name."', '".$comment_body."', NOW())";
mysql_query($query);
}
}
The 0 you see is actually a PHP NULL for an uninitialized variable being represented as a 0 when cast as a string in your SQL.
Assuming you retrieve the $_GET['id'] on the first load, and do the POST on another page load, $article_id is only initialized the first time. It won't be populated unless $_GET['id'] is set. So, store it in $_SESSION on the first load and access it from there when processing the POST.
// Inside if (isset($_GET['id']))...
// article_id is retrieved and populated from the first SELECT statement...
$article_id = $row['about_id'] ;
// Store it in $_SESSION (assume session_start() was called somewhere we don't see)
$_SESSION['article_id'] = $article_id;
Later in your query, get it from $_SESSION:
$query = "INSERT INTO comment (comment_id, article_id, username, page_name,
comment_body, comment_date)
VALUES (NULL, '".$_SESSION['article_id']."', '".$_SESSION['logged_username']."',
'".$page_name."', '".$comment_body."', NOW())";
According to the comments, you already seem to be aware of the SQL injection vulnerabilities. Be sure not to overlook those. It's important to code against them as you go, rather than trying to return later and fill in the appropriate escaping and bounds-checking.
See if the code works now and leave comment if not to help you further:
<?php
$page_name = 'about';
$id = "";
if (isset($_GET['id']))
{
$id = $_GET['id'];
$past1 = mysql_query("SELECT *
FROM about
WHERE about_id = '".$id."' ");
$row = mysql_fetch_array($past1);
echo "<p>" .$row['about_head']."</p>";
echo $row['about_content'];
$article_id = $row['about_id'] ;
/* next line is for debugging, check if you got
your $article_id variable populates with a value */
echo "<p>My article_id var value is:" .$article_id."</p>";
$query6 = mysql_query("SELECT c.comment_body, c.comment_date
FROM comment AS c
INNER JOIN about AS ac ON c.article_id = ac.about_id
WHERE c.article_id = '".$article_id."'
AND page_name = '".page_name."'");
while ($comment = mysql_fetch_assoc($query6)) {
echo "<b>Comment:</b> " . $comment['comment_body'] . "<br/>" ;
echo "<b>Date of Comment:</b> " . $comment['comment_date'];
echo "<br/>" ;
echo "</div>";
}
/* I've moved the if POST here since the insertion is based
on the existance of $article_id */
if (isset($_POST['submit'])) {
$comment_body = mysql_real_escape_string($_POST['comment_body']);
if ($comment_body == "") { // here you had a sintax error, one more (: if (($comment_body == "") {
echo "<div class=\"error\" >" ;
echo "One/More Empty Field";
echo "</div>";
} else {
$query = "INSERT INTO comment (comment_id, article_id, username, page_name,
comment_body, comment_date)
VALUES (NULL, '".$article_id."', '".$_SESSION['logged_username']."',
'".$page_name."', '".$comment_body."', NOW())";
mysql_query($query);
}
}
}
I am making an email script in php. What happens is a mysql query is made, and the output of this is stored in the following strings :
$personal1 = $userinfo->salutation;
$personal2 = $userinfo->surname;
$business = $userinfo->businessname;
Next I have an if statement, this checks to see if the surname is blank, if it is, it then substitutes the salutation + surname with the business name. The problem I am having is that the emails keep being sent out with Dear, Business Name , even if the surname field is not blank, I am not sure what I am doing wrong with the following code for it to do this though ?.
if ($personal2=="") {
$name = $business; }
else {
$name = $personal1 . ' ' . $personal2;};
EDIT >>>>>>>>>>
If I echo out the contents of the strings I get :
personal1 = Mr
personal2 = Johnson
business = Hat Trick Media
Edit 2 >>>>>>>
This is some of the code, it is then passed onto the mailer.
<?php
$cf_uid = $_GET['token'];
$query = mysql_query("SELECT * FROM hqfjt_chronoforms_data_addupdatelead WHERE cf_uid = '$cf_uid'") or die(mysql_error());
$userinfo = mysql_fetch_object($query);
$personal2 = $userinfo->surname;
$personal1 = $userinfo->salutation;
$business = $userinfo->businessname;
?>
<?php
$result = mysql_query("SELECT * FROM hqfjt_chronoforms_data_addemailtemplate");
while ($row = mysql_fetch_object($result)) {
echo '<tr class="table-row">';
echo '<th class="template-name">';
echo '<div class="namerow">';
$id = $row->cf_uid;
$form_id = $row->form_id;
$query = mysql_query("SELECT `$form_id` FROM email_history WHERE cf_id = '$user_id'") or die(mysql_error());
$datesent = mysql_fetch_object($query);
$date = $datesent->$form_id;
if ($personal2=="") {
$name = $business; }
else {
$name = $personal1 . ' ' . $personal2;};
Is your code a valid statement? Your code structure is awful. Instead of...
if ($personal2=="") {
$name = $business; }
else {
$name = $personal1 . ' ' . $personal2;};
Use
if ($personal2=="") {
$name = $business;
}
else {
$name = $personal1 . ' ' . $personal2;
}
You seem to have an extra ; that you dont need.
You also dont seem to close the while loop in the code you posted...
Ok, I have found out what the problem was, $name was coming in the session from the previous page and overwriting $name on this page, I have now set it to destroy the session before it loads this page and it seems to have sorted it now, thanks for everyone's help :-)
I am setting up a webpage for a student organization with bios for the officers along with pictures and whatnot.
the first page simply is html and css. it has a picture, name under it and a link to the full bio where it links to "bio.php?id=" and then the id in my SQL database for that person.
now i am trying to make the php page to allow a simple template php page using the user's id. unfortunately when i do everything that I think is right, I get an odd error.
here is my code
<html>
<body>
<?php
//connection to database
//specify database
$id= $GET['id'];
$sql = " SELECT * FROM Members_table WHERE Id='$id' ";
$result = mysql_query($sql) or print ("Can't select entry from table bloghomepage.<br />" . $sql . "<br />" . mysql_error());
WHILE($row = mysql_fetch_array($result)) {
$name = $row['Name'];
$position = $row['Position'];
$major = $row['Major'];
$hometown = $row['Hometown'];
$awards = $row['Awards'];
$bio = $row['Description'];
$act = $row['Activities'];
$pic = $row['Picture'];
$misc = $row['other'];
?>
<h1><?php print $name; ?></h1>
<p><?php print '<img src="' . $pic . '"'; ?>
<?php } ?>
</body>
</html>
This is what i see on my webpage:
" . $sql . "
" . mysql_error()); WHILE($row = mysql_fetch_array($result)) { $name = $row['Name']; $page_id= $id; $position = $row['Position']; $major = $row['Major']; $hometown = $row['Hometown']; $awards = $row['Awards']; $bio = $row['Description']; $act = $row['Activities']; $pic = $row['Picture']; $misc = $row['other']; ?>
and thats all. any ideas what i am doing wrong?
you just don't have PHP enabled on your host.
Hint: always see page source, not picture rendered by browser. It's HTML code being result of your PHP script, so, you have to check HTML code, not a picture rendered from it.
The PHP isn't being parsed, presumably because the necessary module/content handler isn't set up within your web server.
It's not directly related to the topic but you might want to cast the value of the GET parameter as an integer before reusing it in a query to prevent basic SQL injection
$id = intval( $_GET['id'] );