I have created a script that inserts some details into a form and and below it displays the values inserted in a table. There is a single mysql connection which should work. The insert and select from the advert table is not working! I dont seem to understand why. my table are created properly, there are no errors because i have checked it it anther code. Only this code is not working.
Can someone tell me why are the sql statements not working?
<?php
include('header.php');
session_start();
$user = $_SESSION['username'];
mysql_select_db("ladyjoy_fs", mysql_connect("localhost", "root", ""))or die(mysql_error());
$login=mysql_query("select * from user where user_name='$user'")or die(mysql_error());
$row=mysql_fetch_row($login);
$_SESSION['userid'] = $row[0];
?>
<body>
<?php
$users = mysql_query("select * FROM gcm_users")or die(mysql_error());
if ($users != false)
$no_of_users = mysql_num_rows($users);
else
$no_of_users = 0;
;
?>
<center>
</br>
</br>
<div id="container">
<div id="header">
<div class="alert alert-success"><label>Welcome Advertiser</label></div>
</div>
<table>
<thead>
<td>
<tr>Home | </tr>
<tr>My Advertisements | </tr>
<tr>My Account | </tr>
<tr>Logout | </tr>
</td>
</thead>
</table>
<br/>
<table class="table table-bordered">
<div class="alert alert-success">Creating New Notifications</div>
</table>
<div style="float:center;">
<h4>New Advertisement</h4>
<h5>No of Devices Registered: <?php echo $no_of_users; ?></h5>
<form id="form1" method="POST" onsubmit="return sendPushNotification()">
<label class="control-label" for="inputEmail">Title</label>
<input type="text" name="ad_title" id="ad_title" class="txt_title" placeholder="Notification Title">
<label class="control-label" for="inputEmail">Description</label>
<input type="text" name="ad_desc" id="ad_desc" class="txt_desc">
<label class="control-label" for="inputEmail">Picture</label>
<input type="text" name="ad_pic" id="ad_pic" placeholder="URL">
<label class="control-label" for="inputEmail">Location</label>
<input type="text" name="ad_location" id="ad_location" placeholder="Venue"><br/>
<input type="hidden" name="regId" value="<?php echo $_SESSION['userid'] ?>"/>
<button type="submit" id="add_supply" name="add_supply" class="btn btn-info">Send Notification</button>
</div>
</form>
<?php
if (isset($_POST['add_supply'])){
$title=$_POST['ad_title'];
$desc=$_POST['ad_desc'];
$url=$_POST['ad_pic'];
$location=$_POST['ad_location'];
$userid=$_POST['regId'];
$sql2 = "insert into advert (title,description,url,location,user_id) values('$title','$desc','$url','$location','$userid')";
mysql_query($sql2)or die(mysql_error());
}
?>
<br/>
<table cellpadding="0" cellspacing="0" border="0" class="table table-striped table-bordered" >
<thead>
<tr>
<th>Advertisement ID</th>
<th>Title</th>
<th>Description</th>
<th>Picture</th>
<th>Location</th>
</tr>
</thead>
<tbody>
<?php
$query=mysql_query("select * from advert where user_id = ".$_SESSION['userid']."")or die("Error at query : "+mysql_error());
while(($row=mysql_fetch_array($query))){
?>
<tr>
<td><?php echo $row['id']; ?></td>
<td><?php echo $row['title']; ?></td>
<td><?php echo $row['description']; ?></td>
<td><?php echo $row['url']; ?></td>
<td><?php echo $row['location']; ?></td>
</tr>
<?php } ?>
</tbody>
</table>
</center>
</body>
</html>
$query=mysql_query("select * from advert where user_id = '".$_SESSION['userid']."' ")or die("Error at query : "+mysql_error());
I think it is error in syntax. Please check it.
or you can try out this code ->
$user = $_SESSION["username"];
$res = "select * from user where user_name='$user'";
$result = mysql_query($res) or die("query fail to execute".mysql_error());
while($row= mysql_fetch_array($result))
{
$ac= $row['id'];
$a= ("select * FROM gcm_users WHERE user_id='$ac'");
$re = mysql_query($a) or die("wrong query".mysql_error());
while($row= mysql_fetch_array($re))
{
}
}
note->and yes as mention above your code is vulnerable to sql injection.
Related
This code is correct, but I want it to show me the user list after logging in, and bring me users with the same profile under each column I wanted to search for a specific user.
I have 20 items in the code, but I have written only 2 items here.
.usersearch.php
require_once 'users.php';
<table class="table table-bordered table-striped table-hover stara">
<thead>
<tr>
<th>آیدی</th>
<th>نام</th>
<tr>
<tr>
<th>
<form action="usersearch.php" method="post" novalidate>
<input name="searchid" >
</form>
</th>
<th>
<form action="/usersearch.php" method="post" novalidate>
<input name="searchname">
</form>
</th>
<tr>
<?php while($user = $result-> fetch(PDO::FETCH_ASSOC )) { ?>
<tr class="bgyellow">
<th>
<?php echo $user['id'] ; ?>
</th>
<th>
<?php echo $user['name'] ; ?>
</th>
<th>
</tr>
<?php } ?>
</thead>
<tbody >
<?php while($row=$select_stmt->fetch(PDO::FETCH_ASSOC)){ ?>
<tr>
<td> <?php echo $row['id'] ; ?> </td>
<td> <?php echo $row['name'] ; ?> </td>
</tr>
<?php } ?>
</tbody>
</table>
.users.php
if(isset($_SESSION['user']) ) {
$db = new PDO("mysql:host=localhost;dbname=pasak", "root", "");
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$select_stmt = $db->prepare("SELECT * FROM users");
$select_stmt->execute();
if ($_SERVER['REQUEST_METHOD'] == 'POST') {
if($_POST['searchid']){
$id=$_POST['searchid'];
$result = $db->prepare( "SELECT * FROM users WHERE id =:id");
$result->execute((compact('id')));
if($result ->rowCount() <1){
echo 'چنین کاربری وجود ندارد';
}
echo "</br>"; echo "</br>";
}
if($_POST['searchname']){
$name=$_POST['searchname'];
$result = $db->prepare( "SELECT * FROM users WHERE name =:name");
$result->execute((compact('name')));
if($result ->rowCount() <1){
echo 'چنین کاربری وجود ندارد';
}
echo "</br>"; echo "</br>";
}
}
I have a page where users can view the tickets they sent, they can cancel it as well, here's what it looks like:
What I want to happen is that when I click on the "Closed: Cancelled" button. It would show "Closed: Cancelled" in the assignee column as well. Currently this is what I only get when I click the button:
Here's my form:
<div class="container">
<div class="page-header">
<h3>My Tickets</h3>
<div class="table-responsive">
<table class="table">
<tr>
<th>Employee Name</th>
<th>Time</th>
<th>Priority</th>
<th>Assignee</th>
<th>Subject</th>
<th>Problem</th>
<th>Status</th>
<th></th>
</tr>
<?php
include ('database.php');
$result = $database->prepare ("SELECT tickets.* FROM tickets INNER JOIN employee ON employee.id = tickets.employee_id WHERE employee.username = '".$_SESSION["VALID_USER_ID"]."'");
$result ->execute();
for ($count=0; $row_message = $result ->fetch(); $count++){
?>
<tr>
<td><?php echo $row_message['firstname']." ".$row_message['lastname']; ?></td>
<td><?php echo $row_message['time']; ?></td>
<td><?php echo $row_message['priority']; ?></td>
<td><?php echo $row_message['assignee']; ?></td>
<td><?php echo $row_message['subject']; ?></td>
<td><?php echo $row_message['problem']; ?></td>
<?php if ($row_message['status']) : ?>
<td><?php echo $row_message['status']."".$row_message['assignee'];?></td>
<?php else : ?>
<td>
<form method="post" action="update-ticket-status-emp.php">
<input type="hidden" name="ticketno" value="<?php echo $row_message['ticketno']; ?>" />
<input type="submit" name="closedcan" value="Closed: Cancelled"></input>
</form>
</td>
<?php endif ; ?>
</tr>
<?php } ?>
</table>
<button type="button" class="btn btn-primary"><i class="glyphicon glyphicon-arrow-left"></i> Back</button>
</div>
</div>
</div>
</div>
</div>
And here's the exec code:
<?php
if(isset($_POST['closedcan']))
{
$msg = "ClosedCan";
$status = $_POST['closedcan'];
$assignee = $_POST['closedcan'];
}
$ticketno=$_POST['ticketno'];
$con = mysqli_connect('localhost', 'root', '');
mysqli_select_db($con, 'companydb');
$sql = "UPDATE tickets SET status = '$status' WHERE ticketno = '$ticketno'";
if(mysqli_query($con, $sql))
header("refresh:1; url=view-tickets-emp.php?msg=$msg");
else
var_dump(mysqli_error($con));
?>
PS: I know mysql is deprecated, I will change it eventually when I figure this out.
Modified the query in the exec code:
$sql = "UPDATE tickets SET status = '$status', assignee = '$assignee' WHERE ticketno = '$ticketno'";
I have search feature that I setup. When I type the keyword in I get no records back and no error message. Just the table header. I see the department other in the database. When I type it in the keyword box I get nothing back.
<html>
<head>
<title></title>
</head>
<body>
<form name="frmSearch" method="get" action="">
<table width="599" border="1">
<tr>
<th>Keyword
<input name="txtKeyword" type="text" id="txtKeyword" value="<?php echo $_GET["txtKeyword"];?>">
<input type="submit" value="Search"></th>
</tr>
</table>
</form>
<?php
if($_GET["txtKeyword"] != "")
{
$serverName = "localhost";
$objConnect = new PDO( "sqlsrv:server=$serverName ; Database=maintenance", "TestUser", "test") or die("Error Connect to Database");
// Search By lanId or department
$objQuery = $objConnect->prepare("SELECT * FROM requests WHERE (lanId LIKE '%".$_GET["txtKeyword"]."%' or department LIKE '%".$_GET["txtKeyword"]."%' ) ");
?>
<table width="600" border="1">
<tr>
<th width="91"> <div align="center">lanId </div></th>
<th width="98"> <div align="center">Name </div></th>
<th width="198"> <div align="center">department </div></th>
</tr>
<?php
while( $objResult = $objQuery->fetch(PDO::FETCH_ASSOC))
{
?>
<tr>
<td><div align="center"><?php echo $objResult["lanId"];?></div></td>
<td><?php echo $objResult["name"];?></td>
<td><?php echo $objResult["department"];?></td>
<?php
}
?>
</table>
<?php
}
?>
</body>
</html>
When you use prepare() statement you should also use execute() :
http://coursesweb.net/php-mysql/pdo-prepare-execute
<?php include("header.php"); ?>
<?php
if (#$_POST['delete']=="Delete"){
$count=count($_POST['delbx']);
for($i=0;$i<$count;$i++){
$delete = "DELETE FROM admin WHERE a_id='".$_POST['delbx'][$i]."'";
$resulty = mysqli_query($conn, $delete) or die(mysql_error());
$select_delete = "SELECT `a_image` FROM admin WHERE a_id='".$_POST['delbx'][$i]."'";
$resultrowdy = $conn->query($select_delete);
$rowdy = $resultrowdy->fetch_assoc();
$path="admin/".$rowdy['a_image'];
echo $path;
unlink($path);
echo '<script>window.location="view_user.php"</script>';
}
} ?>
<div class="table-responsive">
<table class="table">
<caption>All Users</caption>
<?php
$sql = "SELECT a_id, a_name, a_phone, a_password, a_role, a_mail, a_image FROM admin";
$result = $conn->query($sql);
if ($result->num_rows > 0) {?>
<thead>
<tr>
<th><form action="view_user.php" method="post"><input name="delete" type="submit" id="delete" value="Delete"></th><th>S. No.</th> <th>Name</th> <th>Phone No.</th> <th>Mail Id</th> <th>Role</th> <th>Password</th> <th>Image</th>
</tr>
</thead>
<?php
while($row = $result->fetch_assoc()) { ?>
<tbody>
<tr>
<th scope="row">
<?php echo $row["a_id"]; ?>
</th>
<td align="center" bgcolor="#FFFFFF">
<input name="delbx[]" type="checkbox" id="delbx[]" value="<?php echo $row["a_id"]; ?>" />
</td>
<td>
<?php echo $row["a_name"]; ?>
</td>
<td>
<?php echo $row["a_phone"]; ?>
</td>
<td>
<?php echo $row["a_mail"]; ?>
</td>
<td>
<?php echo $row["a_role"]; ?>
</td>
<td>
<?php echo $row["a_password"]; ?>
</td>
<td>
<img src="admin/<?php echo $row["a_image"]; ?>" width="60" height="40">
</td>
<th>
Edit
</th>
</tr>
</tbody>
<?php
}
} else {
echo "0 results";
}?>
</table>
</form>
</div>
<?php include("footer.php"); ?>
The code I mention is not deleting the multiple images from the source folder but deleting the multiple data from database whereas I am trying to delete images from the source folder along with data please help thanks in advance
One of the problem is you are deleting the row and trying to select image column from the deleted row.. dont use user supplied variables directly in your query
your code should be
for($i=0;$i<$count;$i++){
$select_delete = "SELECT `a_image` FROM admin WHERE a_id='".$_POST['delbx'][$i]."'";
$resultrowdy = $conn->query($select_delete);
$rowdy = $resultrowdy->fetch_assoc();
$delete = "DELETE FROM admin WHERE a_id='".$_POST['delbx'][$i]."'";
if(mysqli_query($conn, $delete)){
$path="admin/".$rowdy['a_image'];
unlink($path);
echo '<script>window.location="view_user.php"</script>';
}
}
I have a 2 tables like this when I search the member name.
link :
I wanted the search result to be shown only after search.
my code:
<div id = "subtitle">
View Members
</div>
<div id = "searchbox">
<form method="post">
<center><input type="text" maxlength="100" required placeholder="Enter Full Name" name ="search" autocomplete="off" value="">
<input type="submit" name="btn" value="SEARCH NOW!"></p></center>
</form>
</div>
<?php
if(isset($_POST["btn"]))
{
$search = $_POST["search"];
$sql = "select * from member where Member_Name like '$search%' ";
$result = mysqli_query($conn,$sql);
$rowcount = mysqli_num_rows($result);
if($rowcount==0)
echo "Sorry ,no records found!";
else
{
?>
<center><table class="table table-bordered">
<thead>
<tr>
<th>#</th>
<th>Member ID</th>
<th>Member Name</th>
<th>Actions</th>
</tr>
<?php
while($row=mysqli_fetch_assoc($result)) //display
{
?> <tr>
<td></td>
<td><?php echo $row["Member_ID"]?></td>
<td><?php echo $row["Member_Name"]?></td>
<td><img src=../Images/ViewFile.png height=37px title=View>
<img src=../Images/edit.png height=37px title=Edit>
</td>
</tr>
</table>
</center>
<?php
}
}
}
?>
<center><table class="table table-bordered">
<thead>
<tr>
<th>#</th>
<th>Member ID</th>
<th>Member Name</th>
<th>Actions</th>
</tr>
<?php
$sql = "select * from legoclub_guesthouse.member";
$result = mysqli_query($conn,$sql);
$rowcount= mysqli_num_rows($result);
while($row=mysqli_fetch_assoc($result))
{
echo "<tr>";
echo "<td></td>";
echo "<td>$row[Member_ID]</td>";
echo "<td>$row[Member_Name]</td>";
echo "<td><img src=../Images/ViewFile.png height=37px title=View>
<img src=../Images/edit.png height=37px title=Edit>
</td>";
echo "</tr>";
}
?>
</table><center>
</div>
Please include the php file for me too!
To do it in easiest way just try to use this code:
<div id = "subtitle">
View Members
</div>
<div id = "searchbox">
<form method="post">
<center><input type="text" maxlength="100" required placeholder="Enter Full Name" name ="search" autocomplete="off" value="">
<input type="submit" name="btn" value="SEARCH NOW!"></p></center>
</form>
</div>
<?php
if(isset($_POST["btn"]))
{
$search = $_POST["search"];
$sql = "select * from member where Member_Name like '$search%' ";
$result = mysqli_query($conn,$sql);
$rowcount = mysqli_num_rows($result);
if($rowcount==0)
echo "Sorry ,no records found!";
else
{
?>
<center><table class="table table-bordered">
<thead>
<tr>
<th>#</th>
<th>Member ID</th>
<th>Member Name</th>
<th>Actions</th>
</tr>
<?php
while($row=mysqli_fetch_assoc($result)) //display
{
?> <tr>
<td></td>
<td><?php echo $row["Member_ID"]?></td>
<td><?php echo $row["Member_Name"]?></td>
<td><img src=../Images/ViewFile.png height=37px title=View>
<img src=../Images/edit.png height=37px title=Edit>
</td>
</tr>
<?php
}
$sql = "select * from legoclub_guesthouse.member";
$result = mysqli_query($conn,$sql);
$rowcount= mysqli_num_rows($result);
while($row=mysqli_fetch_assoc($result))
{
echo "<tr>";
echo "<td></td>";
echo "<td>$row[Member_ID]</td>";
echo "<td>$row[Member_Name]</td>";
echo "<td><img src=../Images/ViewFile.png height=37px title=View>
<img src=../Images/edit.png height=37px title=Edit>
</td>";
echo "</tr>";
}
?>
</table>
</center>
<?php
}
}
?>
</div>
But I would recommend you to use SQL UNION Operator.
It will make your life easy for these type of problems