So I have two pages. One shows all of the users who have filled out the form. On this page the ID is hyperlinked to the users individual page. On the individual page it should only show their individual information. When I do it, it still shows everyones information and I can't figure out how to change it.
This is my table for all the users.
<?php
//Establish the connection to the database server
$conn = mysql_connect("localhost","root", "MIS42520!$") or die (mysql_error());
//Tell the connection which database to user_error
mysql_select_db("assignment_3", $conn);
//Tell the database what you want, with an SQL statement
$sql = "select id, firstname, lastname, emailaddress from usertable";
//Run the sql statement against the connection
$result = mysql_query($sql, $conn) or die (mysql_error());
//Process the result set $result
print "<center><table id='adminTable' border=1>";
print "<tr><th>ID</th><th>First Name</th><th>Last Name</th> <th> Email Address</th> </tr>";
while($row = mysql_fetch_array($result)){
echo "<tr>";
echo "<td>{$row['id']}</td>";
echo "<td>" . $row['firstname'] . "</td>";
echo "<td>" . $row['lastname'] . "</td>";
echo "<td>" . $row['emailaddress'] . "</td></tr>";
}
echo "</table></center>"; //Close the table
?>
My table for the single user is essentially exactly the same but I added the following on top
$id= $_GET['id'];
Change your $sql variable to this:
$sql = "select id, firstname, lastname, emailaddress from usertable where id='".htmlentities($_GET['id'])."'";
Well.. you need to change the statement for the page of the only one user i think
Try this
$sql = "select id, firstname, lastname, emailaddress from usertable where id =".$id;
And as #jay-blanchard say in the comment, try not to use deprecated methods/clases, use prepared statements here's the link to themysqli class
Related
I have a table that displays fields sent from a form. There are buttons that can edit or delete selected row by selecting id. I want to add a button that would insert selected row to another table. I cannot get it to work.
Here's the code for the table:
<?php
/*
VIEW.PHP
Displays all data from 'players' table
*/
// connect to the database
include('config2.php');
// get results from database
$result = mysql_query("SELECT * FROM articles")
or die(mysql_error());
// display data in table
echo "<table border='1' cellpadding='10'>";
echo "<tr> <th>Author</th> <th>Email</th> <th>Title</th> <th>Poem</th> <th>id</th>";
// loop through results of database query, displaying them in the table
while($row = mysql_fetch_array( $result )) {
// echo out the contents of each row into a table
echo "<tr>";
echo '<td>' . $row['Name'] . '</td>';
echo '<td>' . $row['Email'] . '</td>';
echo '<td>' . $row['title'] . '</td>';
echo '<td>' . $row['content'] . '</td>';
echo '<td>' . $row['id'] . '</td>';
echo '<td>Edit</td>';
echo '<td>Delete</td>';
echo '<td>Publish</td>';
echo "</tr>";
}
// close table>
echo "</table>";
?>
Here's the code for delete function:
// connect to the database
include('config2.php');
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get id value
$id = $_GET['id'];
// delete the entry
$result = mysql_query("DELETE FROM stories WHERE id=$id")
or die(mysql_error());
// redirect back to the view page
header("Location: secret.php");
}
else
// if id isn't set, or isn't valid, redirect back to view page
{
header("Location: secret.php");
}
And here's how I think the function to insert the row to other table should look like but its not working
// connect to the database
include('config2.php');
// check if the 'id' variable is set in URL, and check that it is valid
if (isset($_GET['id']) && is_numeric($_GET['id']))
{
// get id values
$id = $_GET['id'];
$name = $_GET['name'];
$email = $_GET['email'];
$title = $_GET['title'];
$content = $_GET['content'];
//upload
$result = mysql_query("INSERT into publish (name, email, title, content)
VALUES WHERE name=$name, email=$email, title=$title, content=$content")
or die(mysql_error());
// redirect back to the view page
header("Location: secret.php");
}
else
// if id isn't set, or isn't valid, redirect back to view page
{
header("Location: secret.php");
}
I'm new at this so not sure what the correct syntax would look like in this case
Using select query
$id = $_GET['id'];
$result = mysql_query("select *stories WHERE id=$id")
or die(mysql_error());
$row = mysql_fetch_array( $result );
$query= mysql_query("INSERT INTO publish (name, email, title, content)
VALUES ('$row['Name']','$row['Email']',$row['title'],$row['content'])");
I am not sure about any PHP related stiff but have you looked at your INSERT statement. It's completely wrong. You can't use a WHERE condition in INSERT statement as shown below
INSERT into publish (name, email, title, content)
VALUES WHERE name=$name, ....
^------ Here
Did you rather meant to use INSERT INTO .. SELECT FROM construct like
INSERT into publish (name, email, title, content)
SELECT name, email, title, content
FROM Article
WHERE name=$name, email=$email, title=$title, content=$content"
(OR) just an INSERT statement
INSERT into publish (name, email, title, content)
VALUES($name, $email, $title, $content)
Use sub select if u want but i dont know about performance in large table
Insert into tablea (name,xx,xxx) value ('select name from table b where id=x' ,'select xx from table b where id=x ', 'select xxx from table b where id=x') not tested but it shoild work
for some reason I cant seem to get the data to insert php and mysql.
I have a init.php with the connection string in, a order.php file and finaly a band_list.php.
I am having some problem getting the data in to database.
the database has 3 tables:
order it has id, order_id and band_id columns
users it has id, name and password columns
bands it has Band_id, name and stock columns
band_list.php has a band gig details in it shown to the user.
<?php
require 'core/init.php';
$Band_id = $_GET['id'];
$result = mysql_query("SELECT * FROM bands WHERE Band_id = $Band_id");
echo "<table border = '1'>
<tr>
<th>Band Name</th>
<th>Venue</th>
<th>Category</th>
<th>Stock</th>
<th>Add</th>
</tr>";
while($row = mysql_fetch_array($result))
{
echo "<tr><form name=\"myform\" action=\" order.php\" method=\"post\">";
echo "<td> <input name=\"band\" type=\"hidden\" value=\"". $Band_id."\" ></td>";
echo "<td>" .$row['Name']. "</td>";
echo "<td>" .$row['Venue']. "</td>";
echo "<td>" .$row['Category']. "</td>";
echo "<td>" .$row['Stock']. "</td>";
echo "<td><button>Buy Ticket</button></td>";
echo "<td><input type=\" submit\" value=\"Buy Ticket\"></td>";
echo "</tr> </form>";
}
echo "</table>";
?>
order.php has the query that is meant to send the data to the database
<?php
require 'core/init.php';
session_start();
$Band_id = $_REQUEST['Band_id'];
$user_id = $_SESSION['user_id'];
$sql = "INSERT INTO orders (band_id,user_id) VALUES($Band_id,$user_id)";
mysql_query ($sql, $linkme)
or die ("could not add to database");
?>
and the connection string is in a init file.
so the idea is when the user clicks buy ticket it gets the current Band_id and user_id and inserts them into the database table orders in to columns band_id and user_id.
This is not happing I am just getting my or die ("could not add to database"); string come up.
Is there a problem with the way I have done it?
<input name=\"band\" type=\"hidden\" value=\"". $Band_id."\" >
And you're trying to get POST variable "Band_id" (which does not exist)
$Band_id = $_REQUEST['Band_id'];
Should be
$Band_id = mysql_real_escape_string($_REQUEST['band']);
Other details:
In order.php, it's better to place "session_start()" at the
beginning (before anything)
Consider using mysqli or PDO instead of deprecated mysql
You could get band id with $_POST instead of $_REQUEST because your
form sends it with post method
I am creating a small part of intranet for my college using php with css and mysql. i have created a database called "mop" which is my college name. it consists of 2 tables - students(regno,name,dept,year) and staff(id,password,dept). i have made this form for staff login. after the login is made it checks for the id and password in the staff table and here is the php that thr above form refers to:
$myid = stripslashes($myid);
$mypassword = stripslashes($mypassword);
$myid = mysql_real_escape_string($myid);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE id='$myid' and password='$mypassword'";
$result=mysql_query($sql);
$count=mysql_num_rows($result);
if($count==1){
$_SESSION['myid'];
$_SESSION['mypassword'];
header("location:form3.php");
}
if the login is successful it goes to a menu with view/insert/delete student database option and based on the option it goes to the page accordingly. here is the view coding (for eg) of options:
<?php
$con=mysqli_connect("localhost","staff","123456","mop");
if (mysqli_connect_errno())
{
echo "Failed to connect to MySQL: " . mysqli_connect_error();
}
$result = mysqli_query($con,"SELECT * FROM student");
echo "<table border='1'>
<tr>
<th>Register No</th>
<th>Name</th>
<th>Department</th>
<th>Class</th>
</tr>";
while($row = mysqli_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['regno'] . "</td>";
echo "<td>" . $row['name'] . "</td>";
echo "<td>" . $row['department'] . "</td>";
echo "<td>" . $row['class'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysqli_close($con);
?>
now my problem is if a staff of particular dept say CSE or ECE logs in then the staff should be able to view only the students who are of the same dept(this should be done automatically and dept selection shouldnt be done through drop down lists or radio buttons or any other method). i have an idea but unable to implement it. the value of dept from staff table should be stored in some variable say $dept and in my view/insert/delete page i should be able to manipulate the query accordingly like $sql="select * from student where department=$dept";
i am unable to implement this. can anyone of u tell me how to do it?
is this possible? or any other work around for this??
Just put a session_start(); at the beginning of your PHP code and then
after
$result=mysql_query($sql);
put
$_SESSION['myDept'] = $result['dept']
This is the dept from staff table, it will be stored in the $_SESSION array.
This array have a session time live.
Then in each code ( this one or another PHP ), since you have putted a session_start(); you will have access to the $_SESSION array. So you will have acces to your "dept".
So you are able to make a SQL to select only the student in the staff dept.
I'm just learning MYSQL / PHP. I'm having trouble with a query, it's working in myphpadmin:
select `email`, count(*) as count
from `table`
where `date` = "open"
group by `email`
order by `email`
I can't get it to work if I either write the mysql_query myself or use the php myphpadmin generates:
$sql = "select `email`, count(*) as count\
. "from `table`\n"
. "where `date` = \"open\"\n"
. "group by `email`\n"
. "order by `email`\n"
. "";
The purpose is to query a three column table of EMAIL, DATE, EVENT - where EVENT could be "open" or "bounce" and count the number of times a person opened an email.
Here's the rest of the file (I realize I should be using msqli, that's next on my list to figure out....):
<?php
$db_host = '123';
$db_user = '123';
$db_pwd = '123';
$database = '';
$table = 'test';
if (!mysql_connect($db_host, $db_user, $db_pwd))
die("Can't connect to database");
if (!mysql_select_db($database))
die("Can't select database");
sql = "select `email`, count(*) as count\n"
. "from `table`\n"
. "where `date` = \"open\"\n"
. "group by `email`\n"
. "order by `email`\n"
. "";
// sending query
$result = mysql_query($sql);
if (!$result) {
die("Query to show fields from table failed 2");
}
echo "<table border='1'>
<tr>
<th>email</th>
<th>event</th>
<th>date</th>
</tr>";
while($row = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $row['Email'] . "</td>";
echo "<td>" . $row['event'] . "</td>";
echo "<td>" . $row['date'] . "</td>";
}
echo "</table>\n";
mysql_free_result($result);
?>
I just get the "Query to show fields from table failed 2" back - the query didn't work
The '\n' in your query - was generated by myphpadmin (when I use the "generate php code" feature
I have a connection to the database, I just changed the value assigned to those variable so I wouldn't post them
I have the "$" in the $sql var in my file, just didn't get it copied over here.
So,
When I replace this query with a simple one, it works fine, but when I try the more complected query, no luck. I assume it has to do with converting the mysql WHERE date = "open" into proper (escaped?) php....
I'm not sure what the procedure is when I sorta found my own problem = The biggest issue (of several). When I used the "generate PHP code" feature on myphpadmin it didn't keep the capital "E" in Email from the name of the column in the table...
Those newline characters might be the problem...
try
$sql = "select email, count(*) as count from table where date=\"open\" group by email order by email";
Your $database variable is empty, and you are using that with your mysql_select_db
sql var in line 19 (includes empty lines) is missing $.
what is the value of $result ? or is there error before that ?
You could try using ' instead of `!
Also make sure that you have an active connection with your database. You're only checking IF the connection is possible, so I'm not sure if your actually keeping the connection intact.
Instead, you could do:
$connect = mysql_connect($db_host, $db_user, $db_pwd) or die(mysql_error());
i cannot get a row to delete as the id is not going through the url. its a simple error somewhere and i cannot find the solution after having a look around for an hour.
this page contains the information on a table:
<?php
$result = mysql_query("SELECT review, ratings, date, user FROM reviews")
or die(mysql_error()); ;
if (mysql_num_rows($result) == 0) {
echo 'There Arent Any Reviews Yet';
} else {
echo "<table border='0'><table width=100% border='6'><tr><th>Comments/Thoughts</th><th>Ratings</th><th>Date</th><th>User</th><th>Delete</th></tr>";
while($info = mysql_fetch_array($result))
{
echo "<tr>";
echo "<td>" . $info['review']. "</td>";
echo "<td>" . $info['ratings']. " Stars</td>";
echo "<td>" . $info['date']. "</td>";
echo "<td>" . $info['user']. "</td>";
echo "<td>" . " <a href='deletereview.php?review_id=" . $info['review_id'] . "'>Delete</a> </td>";
echo "</tr>";
}
}
echo "</table>";
?>
it goes to deletereview.php which carries out the delete function:
<?php
session_start();
require_once '../includes/db.php';
$id = $_GET['review_id'];
$info = "DELETE FROM reviews WHERE review_id = '$id'";
mysql_query($info) or die ("Error: ".mysql_error());
echo "<h2>Review Deleted</h2>";
?>
any ideas guys?
You're not selecting the review_id in the query, so $info["review_id"] is always null.
Aside from the other answers, I'll say this:
Your database will get jacked if you do not sanitize your variables.
For instance, what happens if I pass review_id=' OR '1'='1?
DELETE FROM reviews WHERE review_id = '' OR '1'='1'
This query will delete everything in reviews.
mysql_real_escape_string() your $_GET and $_POST variables before using them in your MySQL.
You forgot to select the review_id.
$result = mysql_query("SELECT review_id, review, ratings, date, user FROM reviews")
You're not selecting review_id from the database but you use $info['review_id'] to set the ID on the URL. Just change your first line to:
$result = mysql_query("SELECT review_id, review, ratings, date, user FROM reviews")
Also you must escape the input with mysql_real_escape_string:
$id = mysql_real_escape_string($_GET['review_id']);
You have to select the review_id in the query. But also you have to check for some SQL injection, because with the GET request it's easy to delete all the table records.