To reduce the risk of sql injection I decided only to use preset drop down menus for users to query the database. I have a set of five drop downs that work well together with a single submit button and it opens the page it should but I'm not getting any data. I think I've tried everything that I can find and I suspect it is the select line that is wrong but I've tried dozens of variations without success. It seems that every tutorial shows something different and none of the ones I've found have helped.
The drop down I'm using is this:
<form action="test_result3.php" method="post">
<?php
mysql_connect('localhost', 'user', 'password');
mysql_select_db('database');
$sql = "SELECT DISTINCT Country FROM engravers Where Country <>'' AND Country IS NOT NULL ORDER by Country";
$result = mysql_query($sql);
echo "<select name\\='Country'>";
echo "<option value='$_POST'>Country</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Country'] . "'>" . $row['Country'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Year FROM engravers Where Year <>'' AND Year IS NOT NULL ORDER by Year";
$result = mysql_query($sql);
echo "<select name\\='Year'>";
echo "<option value='$_POST'>Year</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Year'] . "'>" . $row['Year'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Engraver1Surname FROM engravers Where Engraver1Surname <> '' AND Engraver1Surname IS NOT NULL ORDER by Engraver1Surname";
$result = mysql_query($sql);
echo "<select name\\='Engraver1Surname'>";
echo "<option value='$_POST'>Engraver</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Engraver1Surname'] . "'>" . $row['Engraver1Surname'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Designer1Surname FROM engravers Where Designer1Surname <>'' AND Designer1Surname IS NOT NULL ORDER by Designer1Surname";
$result = mysql_query($sql);
echo "<select name\\='Designer1Surname'>";
echo "<option value='$_POST'>Designer</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Designer1Surname'] . "'>" . $row['Designer1Surname'] . "</option>";
}
echo "</select>";
$sql = "SELECT DISTINCT Printer FROM engravers Where Printer <>'' AND Printer IS NOT NULL ORDER by Printer";
$result = mysql_query($sql);
echo "<select name\\='Printer'>";
echo "<option value='$_POST'>Printer</option>";
while ($row = mysql_fetch_array($result)) {
echo "<option value='" . $row['Printer'] . "'>" . $row['Printer'] . "</option>";
}
echo "</select>";
?>
<input type="submit" />
</form>
This takes me to the php page test_results3 but it is blank.
<?php
mysql_connect('localhost', 'user', 'password') or die(mysql_error());
mysql_select_db("database") or die(mysql_error());
$query=("SELECT * FROM engravers WHERE $Country = $_POST['Country']", $Year = $_POST['Year'], $Engraver1Surname = $_POST['Engraver1Surname'], $Designer1Surname = $_POST['Designer1Surname]', $Printer = $_POST['Printer']);
while($result = mysql_fetch_array( $query ));
$num=mysql_numrows($result);
$i=0;
while ($i,$num){
$i++;
}
{
echo $result['Country'];
echo " ";
echo $result['Year'];
echo " Engraver: ";
echo $result['Engraver1Surname'];
echo " Designer: ";
echo $result['Designer1Surname'];
echo " Printer: ";
echo $result['Printer'];
echo " ";
$img_url = "http://www.engravedstamps.net/images/";
{
echo '<img src="'.$img_url.$result['Images'].'" />';
}
echo "<br>";
echo "<br>";
}
$anymatches=mysql_num_rows($data);
if ($anymatches == 0)
{
echo "Sorry, but we can not find an entry to match your query<br><br>";
}
echo "<b>Searched For:</b> " .$find;
}
mysql_close();
?>
I seem to be getting more confused and frustrated by the hour with this. So far I've spent six weeks trying to write a three page search and display website and I don't feel like I'm any closer than when I started. Any help at all would be greatly appreciated.
Related
I am trying to create a basic advanced search with an input which will then search through any results that have a matching category field that is selected in the dropdown and then also a matching keyword field for company_name in "advancedSearch". I have gotten to the stage where I can use the drop down to then display the matching data but I’m having trouble querying that with the search input.
Here is my form code from index.php
<form action="advanced-search.php" method="POST">
<input id="advancedInput" placeholder="Advanced Search" type="search" name="advancedSearch">
<?php
$sqlSelect="SELECT category FROM categories";
$result = $db -> query ($sqlSelect);
echo "<select id=\"selectAdvanced\" name=\"value\">";
echo "<option></option>";
while ($row = mysqli_fetch_array($result)) {
$rows[] = $row;
}
foreach ($rows as $row) {
print "<option value='" . $row['category'] . "'>" . $row['category'] . "</option>";
}
echo "</select>";
?>
<input type="submit" value="search"/>
</form>
And here is the code from my advanced-search.php
<?php
if(isset($_POST['value']) && !empty($_POST['value'])) {
$username = trim(strip_tags($_POST['value']));
include('dbConfig.php');
if (mysqli_connect_errno()) {
printf("Can't connect: %s\n", mysqli_connect_error());
exit();
}
$where = ($username == "category")? "" : " WHERE category = '$username'";
$sql = "SELECT * FROM company_listings" . $where; // Create Query
$result = mysqli_query($db, $sql); // Run Query
echo "<table border=1><tr><th>id</th><th>name</th><th>created</th></tr>";
while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)){
echo "<tr>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row['company_name'] . "</td>";
echo "<td>" . $row['created'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysqli_free_result($result);
}
This code works great for echoing out the matching categories from the dropdown but I cant work out how I would further query the search from the "advanced search" input.
Any help would be greatly appreciated.
I worked out that using AND in my query like this and using the Request on submit I was able to get what I was after... Thanks to #ADyson for the nudge. I have added my updated advanced-search.php file below;
if(isset($_REQUEST['submit'])){
$username = (($_POST['value']));
$advanced = (($_POST['advancedSearch']));
include('dbConfig.php');
if (mysqli_connect_errno()) {
printf("Can't connect: %s\n", mysqli_connect_error());
exit();
}
$sql=" SELECT * FROM company_listings WHERE company_name like '%".$advanced."%' AND category LIKE '%".$username."%'";
$result = mysqli_query($db, $sql); // Run Query
echo "<table border=1><tr><th>id</th><th>name</th><th>created</th></tr>";
while($row = mysqli_fetch_array($result, MYSQLI_ASSOC)){
echo "<tr>";
echo "<td>" . $row['id'] . "</td>";
echo "<td>" . $row['company_name'] . "</td>";
echo "<td>" . $row['created'] . "</td>";
echo "</tr>";
}
echo "</table>";
mysqli_free_result($result);
}
My dropdown list displays user names that I get from the database. I want to implement a displayInfo function so that when someone selects a user, it will automatically display his/her info below.
How can I display a user's info when someone selects their name?
This is my dropdown code:
<?php
//connect
$conn = mysqli_connect("localhost","user","123abc");
mysqli_select_db($conn, "users");
//query
$sql= mysqli_query($conn, "SELECT person_id,first_name FROM users");
echo "<select name='dropdown' onchange='displayInfo' id='dropdown'>";
while ($row = mysqli_fetch_array($sql))
{
//display friends' first names on dropdown
if($row['person_id'] == $row['first_name']) {
echo "<option value='" . $row['person_id'] . "' selected>" . $row['list_name'] . "</option>";
} else {
echo "<option value='" . $row['person_id'] . "'>" . $row['first_name'] . "</option>";
}
}
echo "</select>";
Best way to call a Javascript function on option select like this
<?php
//connect
$conn = mysqli_connect("localhost","user","123abc");
mysqli_select_db($conn, "users");
//query
$sql= mysqli_query($conn, "SELECT person_id,first_name FROM users");
echo "<select name='dropdown' onchange='displayInfo' id='dropdown'>";
while ($row = mysqli_fetch_array($sql))
{
//display friends' first names on dropdown
if($row['person_id'] == $row['first_name']) {
**echo "<option onchange='myFunction(this);' value='" . $row['person_id'] . "' selected>" . $row['list_name'] . "</option>";**
} else {
echo "<option onchange='myFunction(this);' value='" . $row['person_id'] . "'>" . $row['first_name'] . "</option>";
}
}
echo "</select>";
<script>
function myFunction(control){
$(control).val() //to access value or any other functionality
}
</script>
I run a query to create a drop down.
$sql_course = "SELECT * FROM hc_course";
$result_course = mysql_query($sql_course);
echo "<select name='course_num'>";
while ($row = mysql_fetch_array($result_course)) {
echo "<option value='" . $row['course_num'] . "'>" . $row['course_name'] . "</option>";
}
echo "</select>";
This produces the list with all the names correctly.
However, I would like to inject an "any" entry that would then turn the next query based off of this from a 'course_num' into a *.
You mean like this?
echo "<select name='course_num'>";
echo "<option value='*'>Any</option>";
while ($row = mysql_fetch_array($result_course)) {
....
echo "<select name='course_num'>";
echo "<option value='*'>Any</option>";
while ($row = mysql_fetch_array($result_course)) {
echo "<option value='" . $row['course_num'] . "'>" . $row['course_name'] . "</option>";
}
echo "</select>";
You should never trust user input so you would need to add some form of PHP sanitisation to process the request.
Initial code:
$sql_course = "SELECT * FROM hc_course";
$result_course = mysql_query($sql_course);
echo "<select name='course_num'>";
echo "<option value="">Any</option>"; // New code for all courses
while ($row = mysql_fetch_array($result_course)) {
echo "<option value='" . htmlspecialchars($row['course_num']) . "'>" . htmlspecialchars($row['course_name']) . " </option>";
}
echo "</select>";
And the code on the page handling this request should work something like this:
if (empty($_POST["course_num"]))
{
// Run SQL to select all courses
}
else
{
// Sanitise the $_POST["course_num"]
// Run SQL to select a specific course item
}
update.php
$q = mysql_query("SELECT id FROM performer WHERE username='$user' LIMIT 1") or die("Error : " . mysql_error());
$r = mysql_fetch_assoc($q);
$id = $r['id'];
$query = mysql_query("SELECT baned_c, baned_c2, baned_c3 FROM performer_s WHERE id='$id' LIMIT 1");
$result = mysql_fetch_assoc($query);
if($result['baned_c'] == NULL) { $res1 = "NONE"; } else { $res1 = $result['baned_c']; }
<?php
echo "<form method=post action=insert.php>";
echo "<select name=country>";
echo "<option value=>NONE</option>";
$country = mysql_query("SELECT DISTINCT country_name FROM country_list ORDER BY country_name ASC");
while($next = mysql_fetch_assoc($country))
{
if($next['country_name'] == $res1)
{
echo "<option selected value=" . $next['country_name'] . ">" . $next['country_name'] . "</option>";
}
else
{
echo "<option value=" . $next['country_name'] . ">" . $next['country_name'] . "</option>";
}
}
echo "</select>";
echo "<br /><input type=submit value=Update List />";
echo "</form>";
mysql_close();
insert.php
$country1 = $_POST['country'];
$user = $_SESSION['MM_Username'];
$query = mysql_query("SELECT id FROM performer WHERE username='$user' LIMIT 1") or die("Error : " . mysql_error());
$row = mysql_fetch_assoc($query) or die("Error : " . mysql_error());
$id = $row['id'];
if(isset($country1)) { mysql_query("UPDATE performer_s SET baned_c='$country1' WHERE id='$id'") or die("Error : " . mysql_error()); }
hello 2 all, new here and its nice too meet you.
hope you can help me out
Up here are my 2 pages update.php and insert.php
my problem :
if $country1 = $_POST['country']; is a one word country all is good but if its a two word country $_POST only gives me the first word
$country1 = $_POST['country'];
if its AMERICA its OK
if its REPUBLIC OF KOREA NOT OK i only get REPUBLIC
what can i do ?
Try changing:
echo "<option value=" . $next['country_name'] . ">" . $next['country_name'] . "</option>";
for:
echo "<option value=\"" . $next['country_name'] . "\">" . $next['country_name'] . "</option>";
You are, basically, generating this HTML right now:
<option value=REPUBLIC OF KOREA>REPUBLIC OF KOREA</option>
and you should be generating this HTML:
<option value="REPUBLIC OF KOREA">REPUBLIC OF KOREA</option>
By the way, do the same thing (add the "s) to the other echo (the selected one).
I am trying to simply display two fields from a table, e.g. firstname, lastname, combine them and display in a dropdown menu that can be selected, and is stored along with other data the user inputs. Below, works for one fields, but i am struggling to combine the lastname, i have tried concat but i think i did that wrong. Thanks in advance.
//Drop Down Select
$sql = "SELECT concat (firstname, lastname) as username FROM users_tbl";
$result = pg_query($sql);
echo "<select name='firstname'>";
while ($row = pg_fetch_array($result)) {
echo "<option value='" . $row['firstname'] . "'>" . $row['firstname'] ."</option>";
}
echo "</select>";
// close connection
Try this way:-
$sql = "SELECT concat (firstname, lastname) as username FROM users_tbl";
$result = pg_query($sql);
echo "<select name='firstname'>";
while ($row = pg_fetch_array($result)) {
echo '<option value="'.$row['username'].'" >'.$row['username'].'</option>';
}
echo "</select>";
// close connection
Either rely on SQL...
while ($row = pg_fetch_array($result)) {
echo "<option value='" . $row['username'] . "'</option>";
}
OR don't use CONCAT in SQL and do it with PHP:
while ($row = pg_fetch_array($result)) {
echo "<option value='" . $row['firstname'] . " " . $row['lastname'] ."'</option>";
}
but do not do both.