I am trying to delete a product listing from my shirt_types table (which is tee-shirt products). I have an administrator page that list all the items in the table along with there information. I have added a delete link at the end of the columns for each item. When I click the delete button it redirects me to the shirt_delete page like wanted, but then nothing. It includes the header, then the rest of the page is blank. I think at the very least, the header and the footer should be displayed but this is not the case. Below is the code I used is list_shirts:
$select_shirts = "SELECT shirt_type, shirt_quantity, shirt_color, price, shirt_description, photo, shirt_types_id from shirt_types order by $sort";
$exec_select_shirts = #mysqli_query($link, $select_shirts);
if(!$exec_select_shirts){
echo "The shirt types information could not be retrieved from the shirt_types table because of: ".mysqli_error($link);
mysqli_close($link);
include('footer_admin.php');
die();
} else {
echo "<div id='list_users'><table id='list_user' border='0'>";
echo "<tr>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=size&bool=".!$bool."'>Size</a></th>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=qnty&bool=".!$bool."'>Quantity</a></th>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=color&bool=".!$bool."'>Color</a></th>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=price&bool=".!$bool."'>Price</a></th>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=desc&bool=".!$bool."'>Description</a></th>";
echo "<th><a href='".$_SERVER['PHP_SELF']."?sort=photo&bool=".!$bool."'>Photo</a></th>";
echo "<th>Delete</th>";
echo "</tr>";
while ($one_row = mysqli_fetch_assoc($exec_select_shirts)) {
echo "<tr>";
echo "<td class='first'>".$one_row['shirt_type']."</td>";
echo "<td class='second'>".$one_row['shirt_quantity']."</td>";
echo "<td class='first'>".$one_row['shirt_color']."</td>";
echo "<td class='second'>".$one_row['price']."</td>";
echo "<td class='first'>".$one_row['shirt_description']."</td>";
echo "<td class='second'><img src='./images/".$one_row['photo']."' /></td>";
echo "<td class='first'><a href='shirt_delete.php?shirt_types_id=".$one_row['shirt_types_id']."'>Delete</a></td>";
echo "</tr>";
}
and here is the shirt_delete.php file that I am attempting to use to delete the shirts and their information from the database.
<?php
require('mysql_connect.php');
session_start();
if (isset($_SESSION['shirt_users_id']) && isset($_SESSION['full_name'])) {
$title="Delete Shirts Page";
include_once("header_admin.php");
if(!empty($_GET['shirt_types_id'])){
$shirt_types_id = $_GET['shirt_types_id'];
mysqli_query($link, "SET AUTOCOMMIT = 0");
$del_shirt_users_id = "DELETE shirt_types.*
FROM shirt_types
WHERE shirt_types_id = $shirt_types_id";
$$del_shirt_types_id = #mysqli_query($link, $del_shirt_types_id);
if(!$$del_shirt_types_id){
rollback(mysqli_error($link));
}else{
mysqli_query($link, "COMMIT");
header('refresh: 0; url=list_shirts.php');
}
}else{
echo "Problem occurred";
header('refresh: 3; url=list_shirts.php');
}
} else {
echo "You are not an authentic administrator. Being directed to the login page...";
header("Refresh: 2; url='login.php'");
}
mysqli_close($link);
require("footer.php");
die();
?>
NOTE: I understand that SQL injection is a real thing and in a real world application that this code would not suffice. But this is a part one course of a three part series. We are not to worry about sql injection at the present moment in time. Thank you everyone for your suggestions and worries about this though!
Try using, Remove shirt_types.*
$del_shirt_users_id = "DELETE FROM shirt_types
WHERE shirt_types_id = $shirt_types_id";
instead of
$del_shirt_users_id = "DELETE shirt_types.*
FROM shirt_types
WHERE shirt_types_id = $shirt_types_id";
and also, change :
$del_shirt_types_id = #mysqli_query($link, $del_shirt_types_id);
if(!$del_shirt_types_id){
instead of
$$del_shirt_types_id = #mysqli_query($link, $del_shirt_types_id);
if(!$$del_shirt_types_id){
By building SQL statements with outside variables, you are leaving yourself wide open to SQL injection attacks.
In your specific case, if someone shirt_types_id with a value of "0 or (1=1)", then the SQL that you will create will look roughly like this:
DELETE FROM shirt_types WHERE shirt_types_id = 0 or (1=1)
and since 1=1 is always true, then you will delete every shirt_types record.
Please learn about using parametrized queries, preferably with the PDO module, to protect your web app. http://bobby-tables.com/php has examples to get you started, and this question has many examples in detail.
Related
I have this piece of code below. It displays the image and name of all the entries in a table in my database. The name is set up to become a hyperlink.Is it possible to make it so when one specific name is clicked that data for only that specific name will be displayed on the page you are sent to?
So for example if I select the first entry that is displayed back "mealname1" and it takes me to the showrecipe.php page, can I make it so I can display all the data I have for "mealname1" and only "mealname1". I'm really lost, I have scoured the internet and my php books but can't find anything to that is relevant.
If there is no way of doing it is there an obvious solution that I am missing?... I am very much a novice to this... thanks for your help guys.
<?php
require("db.php");
$prodcatsql = "SELECT * FROM recipes";
$prodcatres = mysql_query($prodcatsql);
$numrows = mysql_num_rows($prodcatres);
if($numrows == 0)
{
echo "<h1>No Products</h1>";
echo "There are no recipes available right now.";
}
else
{
echo "<table id='recipetable'>";
while($prodrow = mysql_fetch_assoc($prodcatres))
{
echo "<tr>";
if(empty($prodrow['image'])){
echo "<td><img
src='./images/No_image.png' alt='"
. $prodrow['mealname'] . "'></td>";
}
else {
echo "<td><img src='./images/".$prodrow['image']
. "' alt='"
. $prodrow['mealname'] . "'></td>";
}
echo "<td>";
echo ''.$prodrow['mealname'].'';
echo "</td>";
echo "</tr>";
}
echo "</table>";
}
?>
Change the query to
SELECT * FROM recipes WHERE mealname='$mealname' LIMIT 1;
You can remove "LIMIT 1" if you want but this makes sure you will only get 1 or 0 row back. Don't forget to escape the string.
This is probably a really obvious error. Anyway, some details:
I have an oracle database that I need to extract data from to populate a table on a PHP page. The table is called Flowers and has Name, Price and Stock columns.
The part of the PHP code I'm having trouble with is this:
$titlevalue = Trim($_REQUEST['search']);
$query = "SELECT * FROM FLOWERS WHERE NAME = '$titlevalue'";
$stmt = OCIParse($connect, $query);
if(!$stmt) {
echo "An error occurred in parsing the sql string.\n";
exit;
}
OCIExecute($stmt);
The rest of my PHP works -perfectly- when using a different table on my database, which I did as a test. Just in case, this is the code that prints the query results (it's part of an HTML table, but you can ignore that):
while(OCIFetch($stmt)) {
echo "<tr valign=top bgcolor=#F7D4A3>";
$fg1 = OCIResult($stmt,"NAME");
echo "<td width=75>";
echo $fg1;
echo "</td>";
// Display values in column two.
$fg2 = OCIResult($stmt,"PRICE");
echo "<td width=75>";
echo ($fg2);
echo "</td>";
// Display values in column three
$fg3 = OCIResult($stmt, "STOCK");
echo "<td width=75>";
include($fg3);
echo "</td>";
echo "</tr>";
}
No matter what $titlevalue becomes, I just can't get results with this table. I have also tested it with a generic $query = "SELECT * FROM FLOWERS";, but that didn't produce anything either.
Could someone please lend a hand? :( It's been a very long night.
If I may, two things just to note:
1) you're using '$titlevalue', i think that will translate as ... $titlevalue in the query, and not its value
2) Its late ... have you checked that your table is called FLOWERS (case sensitivity)
I'd comment, but I dont have the rep to do so.
If this was helpful, please +1 or click the tickmark. I normally try and use the full format when doing sql queries
SELECT * FROM `table name` WHERE 'x'
... etc. where possible
I currently have a table generated by a sql query. The url to the page is http://skunkboxstudios.com/dev/ofa-courses/
In the table, there is a button on each row that displays a modal window that shows more details of the row it's on. How do I tell the modal window to only select information regarding the row it's on.
Here is the code for the table on the page:
global $wpdb;
$courses = $wpdb->get_results("SELECT * FROM section_view;");
$results = array();
echo "<table>";
echo "<tr>";
echo "<th>Section Name</th>";
echo "<th>Section Description</th>";
echo "<th>Start Date</th>";
echo "<th>End Date</th>";
echo "<th>Location</th>";
echo "<th>Details</th>";
echo "</tr>";
foreach($courses as $course){
$sectionname = "$course->section_name";
$sectiondescription = "$course->section_description";
$sectionstartdate = "$course->term_startdate";
$sectionenddate = "$course->term_enddate";
$sectionlocation= "$course->location_name";
$sectionid = "$course->section_id";
echo "<tr>";
echo "<td>$sectionname</td>";
echo "<td>$sectiondescription</td>";
echo "<td>$sectionstartdate</td>";
echo "<td>$sectionenddate</td>";
echo "<td>$sectionlocation</td>";
echo "<td>$sectionid</td>";
echo "<td>";
echo "<button class='element' onclick='javascript:openDialog();'>Details</button>";
echo "</td>";
echo "</tr>";
}
echo "</table>";
The code for the modal window is here:
$details = $wpdb->get_results(
"SELECT * FROM section_view WHERE section_id = '$sectionid';");
foreach($details as $detail){
echo "<h2>".$detail->section_name."</h2>";
echo "<table>";
echo "<tr>";
echo "<td>".$detail->section_name."</td>";
echo "<td>".$detail->section_description."</td>";
echo "</tr>";
echo "</table>";
}
echo "<button class='element' onclick='javascript:closeDialog();'>Close</button>";
So I need the query in the modal window to SELECT * FROM section_view WHERE section_id = 'the section_id corresponding to the row of the table it's on'
If anybody can help me out, please do. I'll post more information if you need it as well. Thanks.
Not a method I use often but I think you need to include the section_id in the URL for your openDialog() call. e.g.
echo "<button class='element' onclick='javascript:openDialog(\"myurl.php?sectionid=${sectionid}\");'>Details</button>";
You can then include:
$sectionid=$_GET["sectionid"];
at the top of your modal window script.
Any help?
There are some quick fix as well alternative method of correct process (but obvious a lengthy one)
1. Create a function in functions.php and add your code to modal window there.
On click of "details" link call this function using AJAX (make use of admin-ajax.php)
return the HTML to display as string from method and show in modal window.
Let me know if further details or assistance is required.
How can I show the delete and edit link to the user who has posted the comment? Just like in Facebook only the person who has posted the comment is allowed to edit or delete the comment. Below are my "show comments", "show delete" and "edit comment" PHP files:
<?php
include_once("includes/settings.php");
connect();
$result=mysql_query("SELECT * FROM comments ORDER BY id DESC");
echo "<table width='80%' border=0>";
echo "<tr bgcolor='#CCCCCC'>";
echo "<td>Name</td>";
echo "<td>Comments</td>";;
echo "</tr>";
while($res=mysql_fetch_array($result)){
echo "<tr>";
echo "<td>".$res['Name']."</td>";
echo "<td>".$res['Comments']."</td>";
echo "<td>Edit | Delete</td>";
}
echo "</table>";
?>
Below is edit.php
<?php
error_reporting(0);
include_once("settings.php");
connect();
if(isset($_POST['submit'])) {
$id = $_POST['id'];
$Comments=$_POST['Comments'];
if(empty($Comments)) {
echo "<font color='red'>Comments field is empty.</font><br/>";
}
else {
$result=mysql_query("UPDATE comments SET Comments='$Comments' WHERE id=$id");
echo "Your comments has been edited you will be redirected to the members area page automatically or <a href='../index_ma.php'>click here to go back</a>";
header('refresh: 3; url=../index_ma.php');
}
}
?>
<?php
$id = $_GET['id'];
$result=mysql_query("select * from comments where id='$id'");
while($res=mysql_fetch_array($result))
{
$Comments = $res['Comments'];
}
?>
Below is delete.php
<?php
include_once("settings.php");
connect();
$id = $_GET['id'];
$result=mysql_query("DELETE FROM comments where id=$id");
echo "Your comments has been deleted you will be redirected to the members area page automatically or <a href='../index_ma.php'>click here to go back</a>";
header('refresh: 3; url=../index_ma.php');
?>
This depends on your database schema. I am assuming you have a column that stores the user id. With that, you would so something like this:
if ($CurrentUserId == $res['CommentatorId']) {
echo "<td>Edit | Delete</td>";
}
else {
echo "<td></td>";
}
You would use the above block instead of your echo "<td><a href=... line in the first code block.
This is how your block would look:
<?php
include_once("includes/settings.php");
connect();
$result=mysql_query("SELECT * FROM comments ORDER BY id DESC");
echo "<table width='80%' border=0>";
echo "<tr bgcolor='#CCCCCC'>";
echo "<td>Name</td>";
echo "<td>Comments</td>";;
echo "</tr>";
while($res=mysql_fetch_array($result)){
echo "<tr>";
echo "<td>".$res['Name']."</td>";
echo "<td>".$res['Comments']."</td>";
if ($CurrentUserId == $res['CommentatorId']) {
echo "<td>Edit | Delete</td>";
}
else {
echo "<td></td>";
}
}
echo "</table>";
?>
I'm not sure if you do so
but in your comments table you need to save the id of the user who posted the comment, then in edit.php you need to check if the id of the user logged in is equal to the id of the person trying to edit the comment
If yes, then edit, if not then don't allow him to edit it.
In the following code I will suppose that you save the id of the user in the comments table as user_id
$comment_id = intval($_GET['id']);
$result = mysql_query("SELECT user_id FROM Comments WHERE id = $comment_id");
$row = mysql_fetch_array($result);
if($row['user_id'] == $user_id) {
// Edit the comment
} else {
// Not permitted to edit the comment
}
I also noticed that you are still using mysql which got deprecated so I suggest you start using mysqli, I also noticed that you are not sanitizing your variables which is very wrong and could cause your database to be injected. Also, in edit.php you sent the id in a link so that is $_GET not $_POST as I edited in my code.
This functionality is applicable only if there is users and login system on your application. If we suppose that the field Name in your comments table is unique and assign the user name (from users table of course) that had wrote the comment, so during a successful login, you have to set this Name value in a session variable, then during printing out the comments you check for this session value and the Name value of the comment to print out the edit and delete links.
Notice: This answer is an algorithm of implementation.
I am making a website for a mock book database using MSSQL where users can search for different books and select particular books that they might like to add to a list of favorites under their account name. The problem I am having is that I have no idea how to differentiate which book selection they want to add to their favorites because I can't figure out how to set the ISBN of the book, which uniquely identifies it, to a php session variable. If anyone can shed some light on this I would appreciate it, have been trying to figure it out all day.
//Set up connection
$connection = mssql_connect("$hostName", "$sqlUsername", "$sqlPassword")
or die("ERROR: selecting database server failed.");
//Select database
mssql_select_db($databaseName, $connection)
or die("ERROR: Selecting database failed");
//Search to run if searching for book title
if(isset($_GET['searchBook'])){
$searchBook = $_GET['searchBook'];
$query = "SELECT BOOK.ISBN, Title, Author, Publisher, NumberOfPages, Language, LocationName, ListPrice FROM BOOK, PRICE, LOCATION WHERE Title LIKE '%$searchBook%' AND BOOK.ISBN = PRICE.ISBN AND PRICE.LocationID = LOCATION.LocationID";
}
//Search to run is searching for a book author
if(isset($_GET['searchAuthor'])){
$searchAuthor = $_GET['searchAuthor'];
$query = "SELECT BOOK.ISBN, Title, Author, Genre, Publisher, NumberOfPages, Language, LocationName, ListPrice FROM BOOK, PRICE, LOCATION WHERE Author LIKE '%$searchAuthor%' AND BOOK.ISBN = PRICE.ISBN AND PRICE.LocationID = LOCATION.LocationID";
}
//Store query result
$query_result = mssql_query($query, $connection)
or die( "ERROR: Query is wrong");
//Set up table to display search results
echo "<form action=\"addFavorite.php\" method=\"POST\" name=\"table\">";
echo "<table border=1 align=\"center\">";
echo "<tr>";
// fetch attribute names
while ($filed = mssql_fetch_field($query_result)) {
echo "<th>".$filed->name."</th>";
}
echo "<th>Favorite</th>";
echo "</tr>";
// fetch table records
while ($line = mssql_fetch_row($query_result)) {
echo "<tr>\n";
foreach ($line as $eachline) {
echo "<td> $eachline </td>";
}
echo "<td><input name=\"".$line['index']."\" type=\"submit\" value=\"Add To Favorites\"></td>";
echo "</tr>\n";
}
echo "</table>";
echo "</form>";
Not sure if this is relevant but the following code is my best attempt at getting the value of ISBN that corresponds to the row of the button being clicked, which doesn't exactly work like I had hope.
//Get the ISBN
$data = mssql_fetch_assoc($query_result);
$ISBN = $data['ISBN'];
echo $ISBN;
Here is the code for my addFavorite.php which is where the form action is set to. This is the file that needs to know what user is adding a book as a favorite AND what book they are adding to that list.
//Set up connection
$connection = mssql_connect("$hostName", "$sqlUsername", "$sqlPassword")
or die("ERROR: selecting database server failed.");
//Select database
mssql_select_db($databaseName, $connection)
or die("ERROR: Selecting database failed");
$User = $_SESSION['userID'];
//Set up query
$query = "INSERT INTO FAVORITES VALUES(\"$User\",\"**I NEED A SESSION VARIABLE OR SOMETHING TO GO HERE\")";
//Store query result
$query_result = mssql_query($query, $connection)
//or die( "ERROR: Query is wrong");
Any help would be much appreciated. I know it's alot of information and if there is anything that doesn't make sense or I have forgotten to provide please let me know. Thanks.
EDIT
I have tried using the BUTTON instead of using INPUT but the value of the button is not setting to anything for some reason.
echo "<form action=\"addFavorite.php\" method=\"POST\" name=\"table\">";
echo "<table border=1 align=\"center\">";
echo "<tr>";
// fetch attribute names
while ($filed = mssql_fetch_field($query_result)) {
echo "<th>".$filed->name."</th>";
}
echo "<th>Favorite</th>";
echo "</tr>";
// fetch table records **PROBLEM IN HERE since $line['ISBN'] returns nothing**
while ($line = mssql_fetch_row($query_result)) {
echo "<tr>\n";
foreach ($line as $eachline) {
echo "<td> $eachline </td>";
}
echo "<td><button name=\"FavoriteButton\" type=\"submit\" value=\"".$line['ISBN']."\">Add To Favorites</button></td>";
echo "</tr>\n";
}
echo "</table>";
echo "</form>";
EDIT 2
Finally got it working, thanks to everyone for helping! Partial code that was problematic posted below in working condition.
echo "<form action=\"addFavorite.php\" method=\"POST\" name=\"table\">";
echo "<table border=1 align=\"center\">";
echo "<tr>";
// fetch attribute names
while ($filed = mssql_fetch_field($query_result)) {
echo "<th>".$filed->name."</th>";
}
echo "<th>Favorite</th>";
echo "</tr>";
// fetch table records
while ($line = mssql_fetch_row($query_result)) {
echo "<tr>\n";
foreach ($line as $eachline) {
echo "<td> $eachline </td>";
}
echo "<td><button name=\"FavoriteButton\" type=\"submit\" value=\"".$line[0]."\">Add To Favorites</button></td>";
echo "</tr>\n";
}
echo "</table>";
echo "</form>";
Use a BUTTON-element instead of the INPUT-element. That way, you can use the 'value'-attribute of this element to pass the correct value.
echo "<td><button name=\"$line['index']\" value=\"$line['ISBN']\" type=\"submit\">Add to favorites</button></td>";
Although I would suggest using AJAX instead of the above approach for this: use the onclick event from a button to execute javascript that calls a seperate php-file and passes the correct ISBN-number. This is then added to the database and your original page should be refreshed or part of the page reloaded.