I have downloaded a shopping cart for my site,
It has a PHP file to fill out the basket. the basket will show added items in rows, here is the code :
<?php
define('INCLUDE_CHECK',1);
require "XXXXX/XXXXX.php";
if(!$_POST['img']) die("There is no such product!");
$img=mysql_real_escape_string(end(explode('/',$_POST['img'])));
$row=mysql_fetch_assoc(mysql_query("SELECT * FROM XXXXXX WHERE img='".$img."'"));
$prsize=mysql_fetch_assoc(mysql_query("SELECT * FROM BBBBBB WHERE id='".$row['id']."'"));
echo '{status:1,id:'.$row['id'].',price:'.$row['price'].',txt:\'\
\
<table width="100%" id="table_'.$row['id'].'">\
<tr>\
<td width="60%">'.$row['name'].'</td>\
<td width="10%">$'.$row['price'].'</td>\
<td width="15%"><select name="'.$row['id'].'_cnt" id="'.$row['id'].'_cnt" onchange="change('.$row['id'].');">\
<option value="1">1</option>\
<option value="2">2</option>\
<option value="3">3</option></slect>\
\
</td>\
<td width="15%"><select name="'.$prsize['id'].'_cnt" id="'.$prsize['id'].'_cnt" onchange="change('.$prsize['id'].');">\
I need to put this
while($item = mysqli_fetch_array($result))
{
here to make a dynamic select menu for the size
<option value="'.$prsize['id'].'">'.$prsize['id'].'</option>\
end while
}
\
</td>\
<td width="15%">remove</td>\
</tr>\
</table>\'}';
?>
but I couldn't figure it out how to put the PHP while in there, I have tried to use "" or '' but no luck.
How should I quote the PHP while inside this HTML code?
Thanks
Maybe something like this:
$options = "";
while($item = mysqli_fetch_array($result))
$options .= "<option value=\"$item[id]\">$item[id]</option>\\\n";
and then just use it
echo '{status:1,id:'.$row['id'].',price:'.$row['price'].',txt:\'\
\
<table width="100%" id="table_'.$row['id'].'">\
<tr>\
<td width="60%">'.$row['name'].'</td>\
<td width="10%">$'.$row['price'].'</td>\
<td width="15%"><select name="'.$row['id'].'_cnt" id="'.$row['id'].'_cnt" onchange="change('.$row['id'].');">\
'.$option.'</select>\
...
Or you can simply break your echo in two and put your loop between the calls:
echo '{status:1,id:'.$row['id'].',price:'.$row['price'].',txt:\'\
\
<table width="100%" id="table_'.$row['id'].'">\
<tr>\
<td width="60%">'.$row['name'].'</td>\
<td width="10%">$'.$row['price'].'</td>\
<td width="15%"><select name="'.$row['id'].'_cnt" id="'.$row['id'].'_cnt" onchange="change('.$row['id'].');">\
';
while($item = mysqli_fetch_array($result))
echo "<option value=\"$item[id]\">$item[id]</option>\\\n";
echo '</select>\
\
</td>\
...
Btw, your </select> is missing one "e" (it says </slect>).
My eyes bleed whenever I see PHP and HTML mixed together like that.
There are 6 things that I'd like to highlight in your code:
1) It seems to me like you're trying to build some kind of JSON string with your php, here's my evidence:
echo '{status:1, id:'.$row['id'].'} //The rest of your code
I'd like to make you aware of the command json_encode that transforms a php array into JSON-like string that can be read by JavaScript (just to name one) and manipulated in whatever way you want.
This is the way you use it:
$myJSONobject = json_encode($myarray)
2) mysql_ functions are deprecated
I don't know how many times I have to type this per day, but they are, do not use them anymore. Even if you're reading an outdated tutorial or written by a bad programmer that still use mysql_* functions in 2013.
Deprecated means that those functions can go away at any point in time, if your server updates to a PHP version that no longer has deprecated functions, all your code will be broken and you're going to wonder why.
From now on, you have to use mysqli or PDO
4) Your SQL is vulnerable to SQL Injection
$prsize=mysql_fetch_assoc(mysql_query("SELECT * FROM BBBBBB WHERE id='".$row['id']."'"));
I'm pretty sure you're writing statements like that all over your program, I'm also pretty sure that at some point you're accepting input from the user and making a SQL query like that.
If a malicious user decides to enter 1 OR 1=1 that user is going to execute a SQL statement that he is not supposed to execute, something like:
SELECT * FROM BBBBBB WHERE id = 1 OR 1=1
That could have been prevented if instead of using mysql_* functions you would have used mysqli or PDO
Because those libraries come with prepared statements A prepared statements forces the SQL engine to understand your query BEFORE any data is passed to it. Therefore, if a malicious user tries the good ol' OR 1 = 1, it won't matter because the SQL engine will handle it as any other string, and not as a command.
5) Your code is an ugly mess.
Even if this comment doesn't look like constructive criticism, it actually is, read on to find out why.
The way you're coding this program, makes it hard to maintain. You shouldn't be mixing PHP and HTML together the way you're doing it.
Most of the time you should only echo or return raw data.
If you're markup code, the vast majority of time, you're doing it wrong.
6) Do not use onclick` in HTML anymore, it's TERRIBLE practice. Use Event Listeners instead
Click me
<script type="text/javascript">
var link = document.getElementById("test").
link.addEventListener("click", function() {
link.innerHTML = "Do not click me anymore please";
});
</script>
Back to your question, there's no need to write that mess if you want to mix PHP and HTML, I'm going to show you a cleaner way to output this:
$prsize=mysql_fetch_assoc(mysql_query("SELECT * FROM BBBBBB WHERE id='".$row['id']."'"));?>
{
status:1,
id:<?=$row['id']=?>,
price:<?=$row['price']?>,
txt:
<table width="100%" id="table_<?=$row['id']?>">
<tr>
<td width="60%"><?=$row['name']?></td>
<td width="10%">$<?=$row['price']?></td>
<td width="15%">
<select name="<?=$row['id']?>_cnt" id="<?=$row['id']?>_cnt" onchange="change(<?=$row['id']?>);">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
</select>
</td>
<td width="15%">
<select name="<?=prsize['id']?>_cnt" id="<?=$prsize['id']?>_cnt" onchange="change(<?=$prsize['id']?>);">
<?php while($item = mysqli_fetch_array($result)): ?>
<option value="<?=$prsize['id']?>"><?=$prsize['id']?></option>
<?php endwhile; ?>
</td>
<td width="15%">
remove
</td>
</tr>
</table>
}
Hope this helps, then again... if you're creating JSON... use JSON_ENCODE
$SQL = "SELECT * from xxx WHERE img = '".mysql_real_escape_string($img)."'";
$result = mysql_query( $SQL );
while( $item = mysql_fetch_array( $result ) ) {
echo '<option value="'.$item['id'].'">'.$item['id'].'</option>';
}
Related
I have a table where is one week displayed (each row is one day).
I get the rows from a while loop from my database. The rows are displayed in bootstrap accordions.
There is a textarea in every accordion row where the user can input (update) some text.
I want to update this text into my database. It should update the text depending on the day id.
<form method="POST" action="">
<table class="table table-hover" style="border-collapse:collapse;">
<thead>
<tr>
<th>Weekday</th>
<th>Date</th>
</tr>
</thead>
<tbody>
<?php
// Select Statement (for shortening not included into this Stack question)//
while($row = $statement->fetch()) {
$thedate = $row['Date'];
$weekday=strftime("%A", strtotime($thedate));
$date=date('d-m-Y', strtotime($thedate));
echo "<tr data-toggle='collapse' data-target=#".$row['Date']." class='clickable collapse-row collapsed'>";
echo "<td >".$weekday."</td>";
echo "<td>".$date."</td>";
echo" <td style='color:black; font-size:20px;'><i class='fas fa-angle-down'></i></td>";
echo "</tr>";
echo "<tr><div class='accordian-body collapse' id=".$row['Date'].">
<td colspan='1' class='hiddenRow'><textarea name=".$row['id']." rows='5' cols='80'>".$row['Text']." </textarea></td>
//the $row['id'] should give every textarea a unique dayid from my database
echo"</td>
</div></tr>";
}
if(ISSET($_POST['id'])){
$debug=$_POST['id'];
}
var_dump($debug); // var_dump for debugging. See text below
?>
</tbody>
</table>
<button type="submit" name="Speichern" class="btn btn-lg btn-primary btn-block">Speichern</button>
</form>
Before writing the Sql Update Statement I wanted to debug to find possible bugs.
If i debug this with var_dump I get the error message "Undefined variable $debug" and I dont know why. The variable shouldnt be empty because in the textareas is always text.
Im new to PHP and coding at all so probably Im making a dump mistake.
EDIT: If I put the var_dump inside the if condition i get nothing as return.
I tried it also with the var_dump in the if block but then i get nothing as return.
That’s because you do not have any form field that is actually named id. You put name=".$row['id']." on your textarea, and that is likely a numeric value. And you probably don’t know which one that will be, on the receiving end.
Plus, since you are creating multiple such fields in a loop, PHP will overwrite all values for this parameter with the last one. You need to use a naming scheme that includes square brackets to avoid that, something like name="foo[]" - then $_POST['foo'] will become an array that you can loop over.
And since you will still need your record ID to associate with the data, you can put that into the brackets, name="foo[123]" – then this 123 will become the key of that array element, for this specific textarea.
If you loop over that using the extended foreach syntax, then you have easy access to the ID, and the value entered by the user:
foreach( $_POST['foo'] as $id => $value ) { … }
I've got a search function written in PHP/MySQL which works fine. What I want to happen is that when a user produces a search they can click a button which will submit the $id from the output to a table in my database.
I've copied my code below, the error is within the php echo in the form, it just displays the plain text of the php code.
Everything else works fine, I've tested this by setting value to "" and entering the id myself and then it works. I want it though to be a hidden input in future where the id automatically comes through from the search result. Multiple searches can be returned on the same page and this form is underneath each individual search result.
<?php
$conn = mysqli_connect("localhost","root","","users");
$output = '';
if(isset($_POST['search'])) {
$search = $_POST['search'];
$search = preg_replace("#[^0-9a-z]i#","", $search);
$query = mysqli_query($conn, "SELECT * FROM users WHERE main LIKE '%".$search."%'") or die ("Could not search");
$count = mysqli_num_rows($query);
if($count == 0){
$output = "There was no search results!";
}else{
while ($row = mysqli_fetch_array($query)) {
$id = $row ['id'];
$main = $row ['main'];
$postcode = $row ['postcode'];
$available = $row ['available'];
$email = $row ['email'];
$output .='<div><br><b>Player ID: </b>'.$id.'<br><b>Main:
</b>'.$main.'<br><b>Postcode: </b>'.$postcode.'<br><b>Available:
</b>'.$available.'<br>
<br>
<form action="request_player.php" action="post">
<input type="text" name="id" value="<?php echo $id ?>">
<input type="submit" value="Request Player">
</form>
</div>';
}
}
}
echo $output;
?>
<br> Back to your account
The issue Jay Blanchard highlighted and which you took a bit lightly - perhaps b/c you fear the distraction from your current problem - is actually pretty related to the issue you highlight in your question.
This btw. is nothing uncommon. In this little script you deal with at three languages: HTML, SQL and PHP. And all these are intermixed. It can happen that things jumble.
There are methods to prevent these little mistakes. What Jay highlighted was about how to encode a SQL query correctly.
The other problem is to encode a HTML string correctly. Let me highlight the part:
$output = '... <input type="text" name="id" value="<?php echo $id ?>"> ...';
In this PHP string you write "<?php echo $id ?>" verbatim, that means, this will echo'ed out then.
What you most likely meant was to write it this way:
$output = '... <input type="text" name="id" value="' . $id . '"> ...';
So this seems easy to fix. However, it's important that whether it is SQL or HTML, you need to properly encode the values if you want to use them as SQL or HTML. In the HTML case, you must ensure that the ID is properly encoded as a HTML attribute value. In PHP there is a handy function for that:
$output = '... <input type="text" name="id" value="' . htmlspecialchars($id) . '"> ...';
Or as the ID is numeric:
$output = '... <input type="text" name="id" value="' . intval($id) . '"> ...';
works similarly well.
You need to treat all user-data, that is all input - which includes what you get back from the database (!) - needs to be treated when you pass it into a different language, be it HTML, SQL or Javascript.
For the SQL Jay has linked you a good resource, for the HTML I don't have a good one at hand but it requires your own thoughtfulness and the will to learn about what you do (write) there. So sharpen your senses and imagine for each operation what happens there and how this all belongs together.
One way to keep things more apart and therefore help to concentrate on the job is to first collect all the data you want to output and then process these variables in a template for the output. That would prevent you to create large strings only to echo them later. PHP echoes automatically and a benefit of PHP is that you can use it easily for templating.
Another way is to first process the form input - again into your own variable structure - which is the programs input part and run first. Then follows the processing of the input data, in your case running and processing the database query. And after that you care about the presentation. That way you have common steps you can become more fluent in.
I hope this is understandable. It's full of further obstacles, but it pays to divide and conquer these programming problems. It will also help you to write more while you need to write less for that.
And btw., you don't need to switch to PDO, you can stick with Mysqli.
The reason it is happening is because you have put <?php echo $id ?> inside a string. You want to do the same thing you did elsewhere in your example: value="' . $id . '" It can quickly get confusing when you have single and double quotes happening together. You might be best off learning how to use PHPs multiline strings.
Also, <?= $id ?> is a useful shorthand for <?php echo $id ?> (although you don't want to use either here)
I have a simple code to add banners from admin panel to the index of the site. But the add function doesnt work correctly here is the form to add banner
<h2>Add Banner</h2>
<?php include ("../engine/config/config.php"); ?>
<form method="post" action="">
Clicks
<input type="text" name="click" value="0" style="width: 200px;" /> <div class="hr"></div>
Impressions
<input type="text" name="imp" value="0" style="width: 200px;" /> <div class="hr"></div>
LINK
<input type="text" name="url" value="http://" style="width: 200px;" /> <div class="hr"></div>
Size
<select name="razmer">
<option value='468x60'>468x60</option>
<option value='88x31'>88x31</option>
</select>
<div class="hr"></div>
Banner<br />
<input type="text" name="picurl" value="http://" style="width: 200px;" /><div class="hr"></div>
<input type="submit" name="submit" value="Submit"> <br />
</form>
<?
if($_POST['submit']) {
$click = $_POST['click'];
$imp = $_POST['imp'];
$url = $_POST['url'];
$razmer = $_POST['razmer'];
$picurl = $_POST['picurl'];
$sql = "INSERT INTO `banneradd` (click, imp, url, razmer, picurl, username) VALUES ('$click', '$imp', '$url', '$razmer', '$picurl', '')";
$result = mysql_query($sql);
echo "<div class='hr'>The Banner has been added, please go back to the index: <a href='view_reklama.php'> Index </a></div>";
}
?>
So it say it was added but when I go back ITS NOT. There is no error or anything, can someone help? Thanks in advance :)
Okay, there are way too many things wrong with your code, so if you're learning from a particular site or person... find a different source.
Don't open PHP with <?. This is the shorthand style. It is disabled on many if not most web servers, and for good reason -- because XML introduces its encoding using the same opening <? and it causes conflict. Always open your PHP with <?php. http://www.php.net/manual/en/ini.core.php#ini.short-open-tag
Don't use if($_POST['submit']), use if (isset($_POST['submit'])). Your current script should generate an error, but it's probably being masked because PHP defaults to not showing very many errors. It does trigger a warning, though, because you're checking if the variable (or rather array value) $_POST['submit'] is equal to true. In fact, that variable is undefined. Use isset() to check if a variable exists. http://php.net/manual/en/function.isset.php
Sanitize your user's input. If somebody typed a ' into any of your fields, your query would break. Why? Because in your query, you're placing your stringed values in single quotes, and any instance of another single quotation mark would break out of that. There is such a thing as magic quotes in PHP (which automatically escapes POST values), but it's absolutely awful, so please disable it. http://php.net/manual/en/security.magicquotes.php The best way to escape user input is with real escape functions (more on that later).
mysql_ functions are deprecated. Use PDO or MySQLi. If you're getting used to the mysql_ functions, it is easier to transition to MySQLi. For simplicity, I'll use the procedural style, but it's much better to go with the OOP style....
If you want to debug MySQL commands with PHP, you should format your queries carefully, print the error, and also print the computed query, because sometimes you need to look at the actual resulted query in order to see what is wrong with it.
That said, here's what I suggest:
<?php
error_reporting(E_ALL);
// Turn on all error reporting. Honestly, do this every time you write a script,
// or, better yet, change the PHP configuration.
$connection = mysqli_connect('host', 'username', 'password', 'database');
// Somewhere in your config file, I assume you're calling mysql_connect.
// This is a pretty similar syntax, although you won't need mysql_select_db.
if (isset($_POST['submit'])) {
$click = mysqli_real_escape_string($connection, $_POST['click']);
// This will escape the contents of $_POST['click'], e.g.
// if the user inputted: Hello, 'world'! then this will produce:
// Hello, \'world\'!
$imp = mysqli_real_escape_string($connection, $_POST['imp']);
$url = mysqli_real_escape_string($connection, $_POST['url']);
$razmer = mysqli_real_escape_string($connection, $_POST['razmer']);
$picurl = mysqli_real_escape_string($connection, $_POST['picurl']);
$query = "
INSERT INTO `banneradd` (
`click`,
`imp`,
`url`,
`razmer`,
`picurl`,
`username`
)
VALUES
(
'$click',
'$imp',
'$url',
'$razmer',
'$picurl',
''
);
";
// Format your query nicely on multiple lines. MySQL will tell you what line
// the error occurred on, but it's not helpful if everything's on the same line.
$result = mysqli_query($connection, $query);
$error = mysqli_error($connection);
if ($error) {
echo "A MySQL error occurred: $error<br>";
echo "<pre>$query</pre>";
// If an error occurred, print the error and the original query
// so you can have a good look at it.
die;
// Stop executing the PHP.
}
echo '<div class="hr">The Banner has been added, please go back to the index: Index </div>';
}
?>
See if that helps. Chances are, the MySQL error will be helpful with diagnosing the problem. You might have just misspelled a column name or table name.
I have wore below code and its working.But I want row number when a ROW clicked(Hope Ajax is okay) and pass it to a php code in same page. I tried javascript it worked,bt not in the way I want. If its in Ajax its better. Any HELP would b gratefull :)
if(isset($_POST['search'])){
$search=mysqli_query($con,"SELECT * FROM bus_fares WHERE route_no='$_POST[route_no]'");
$num_rows = mysqli_num_rows($search);
$search1=mysqli_query($con,"SELECT fare FROM fare limit $num_rows ");
$x = 0;
echo" <table id='my_table'><tr><th>Fare Stage</th>
<th>Location</th>
<th>Fare</th>
</tr>";
while($row=mysqli_fetch_assoc($search) and $row1=mysqli_fetch_assoc($search1)){
echo"<tr>";
echo"<td>".$x."</td>";
echo"<td>".$row['location']."</td>";
echo"<td>".$row1['fare']."</td>";
echo"</tr>";
$x++;
}
echo"</table>";
}
What you really want is to not only store the visual data in your table but also some sort of meta data. There are several ways to achieve this.
Method #1: (ab)use the id or class attributes:
The resulting HTML would look like this:
<!-- example with the id-attribute: -->
<tr id="mysql_row_1"> ... </tr>
<tr id="mysql_row_2"> ... </tr>
<!-- example with the class-attribute: -->
<tr class="mysql_row_1"> ... </tr>
<tr class="mysql_row_2"> ... </tr>
This would both generate valid HTML but you would abuse attribute-tags for a purpose they're not implemented for, what is generally regarded as bad. Imagine if you had to store more than just one value. You could assign multiple classes, but you'd get stuck with the id-tag then. Therefore: don't do this!
You'd have to change your code like this to achieve this solution:
(I assume you want the value of $x as the rownumber.)
while ($row=mysqli_fetch_assoc($search) and $row1=mysqli_fetch_assoc($search1)) {
echo '<tr class="mysql_row_'.$x.'" onclick="getRowNumber()">';
echo "<td>".$x."</td>";
echo "<td>".$row['location']."</td>";
echo "<td>".$row1['fare']."</td>";
echo "</tr>";
$x++;
}
The javascript part:
function getRowNumber() {
var rowNumber = this.className.replace("mysql_row_",""); // fetches the classname and removes the extra-strings
alert(rowNumber); // alerts "1", "2", ...
}
Method #2: Use the data-* attributes:
This solution is valid for HTML5. Please add additional information regarding compatibility if you have some.
Your HTML Code will look like this:
<tr data-mysql_row_number="1" onclick="getRowNumber()"> .... </tr>
<tr data-mysql_row_number="2" onclick="getRowNumber()"> .... </tr>
And the modified javascript:
function getRowNumber() {
alert(this.getAttribute("data-mysql_row_number")); // alerts "1", "2", ...
}
This also generates perfectly valid HTML(5) code and lets you store infinite endless amounts of information since you can specify as many data-* attributes as you want to.
Method #3: use invisible <input> fields:
The resulting HTML code:
<tr onclick="getRowNumber()">
<td>
Normal content of this field
<input type="hidden" name="mysql_row_number" value="1"/>
</td>
</tr>
And the JS code to fetch the values:
function getRowNumber() {
var rowNumber = this.getElementsByName('mysql_row_number')[0].value;
alert(rowNumber); // alerts "1", "2", ...
}
This as well produces valid HTML but is semantically not really correct in my opinion, since the data inside the <input> fields is some kind of loose and not directly connected to the row. Plus you can make multiple <input> fields with the same name.
I would suggest method #2 ( data-* ), as this is the most flexible solution and uses an attribute that has been designed to store meta-data.
Method #1 would work the most reliable across all (older) browsers since all of them support acces to the id or class attribute via JS, as long as you keep the id tag unique.
Method #3 will also be quite reliable with older browsers.
Instead of echo"<tr>"; do :
echo "<tr id='row_".$row['id']."'>";
then when a tr is clicked, just retrieve $(this)[0].id like that with jQuery inside a script tag (be sure jQuery is included, it's a powerful JS library, google it for additional informations) :
<script>
$("#my_table").on("click", "tr", function(){
alert($(this)[0].id.replace("row_", ""));
});
</script>
An SQL query gives no output through AJAX page when variables are passed in the query. Even the count of number of rows gives zero (0). An echo of the same query with the passed variables shows as having values.
When copy and pasting the same (replacing) from the browser page to the query in the AJAX page it gives a result.
The code is as follows (first SQL code in AJAX page with variables as parameter):
$qu="SELECT DISTINCT bk.bookname,bk.author,bk.publisher,bk.edition,bk.description,lam.article_name,bk.keywords,bk.qtyinstock FROM lib_article_master lam, lib_book_cd_master bk WHERE bk.bookname='$arr[2]' AND bk.author='$arr[3]' AND bk.publisher='$arr[4]' AND bk.article_id=lam.article_id";//here $arr[2],$arr[3],$arr[4] are variables from another query for comparison in AJAX page
$r=QrySelect($qu);
echo " <br> ".$qu;//query is echoed in browser
echo "<br>count : ".mysql_num_rows($r);//count of number of rows
$arr1=mysql_fetch_array($r);
?>
<table width="97%" border="0" >
<tr
<td width="11%"><div align="left"><strong>Description </strong></div></td>
</tr>
</table>
<textarea name="txt_Keywords" style="width:90%; height:90px"><?php echo $arr1[4]; ?></textarea>
And the output is nothing.
The query, when taken from the browser and put back in code along with values for variables we are getting an output.
$qu="SELECT DISTINCT bk.bookname,bk.author,bk.publisher,bk.edition,bk.description,lam.article_name,bk.keywords,bk.qtyinstock FROM lib_article_master lam, lib_book_cd_master bk WHERE bk.bookname='Java Complete Reference' AND bk.author='Martin D Leuthen' AND bk.publisher='ABS Publications' AND bk.article_id=lam.article_id";//here $arr[2],$arr[3],$arr[4] are replaced as per browser output
$r=QrySelect($qu);
echo " <br> ".$qu;//query is echoed in browser
echo "<br>count : ".mysql_num_rows($r);//count of number of rows
$arr1=mysql_fetch_array($r);
?>
<table width="97%" border="0" >
<tr
<td width="11%"><div align="left"><strong>Description </strong></div></td>
</tr>
</table>
<textarea name="txt_Keywords" style="width:90%; height:90px"><?php echo $arr1[4]; ?></textarea>
We are getting an output for the above code with correct number of rows from the the database.
Any help will be great.
You should use string concatenation to build your query, like
"SELECT * FROM table WHERE param = '" . $value . "'"
So, your query should look like:
$qu="SELECT DISTINCT bk.bookname,bk.author,bk.publisher,bk.edition,bk.description,lam.article_name,bk.keywords,bk.qtyinstock FROM lib_article_master lam, lib_book_cd_master bk WHERE bk.bookname='".$arr[2]."' AND bk.author='".$arr[3]."' AND bk.publisher='".$arr[4]."' AND bk.article_id=lam.article_id";
Also, don't forget to escape string variables with mysql_real_escape_string().
Got it at last... PHEW...
Just include 'TRIM()' and comparison problem got solved .Don't know still how it managed to work when code was pasted from browser but anyways its working.
giving the code below ...
$fr0=trim($arr[0], "");//'TRIMS' ALL UNWANTED SPACES FOR COMPARISON TO BE PERFECT
$fr1=trim($arr[1], "");
$fr2=trim($arr[2], "");
$fr3=trim($arr[3], "");
$bkr0=strtolower($fr0);//HERE EVERY SINGLE CHARCTER IS TURNED TO 'LOWER CASE' TO REMOVE ALL POSSIBLE WAYS OF ERRORS IN COMPARISON
$bkr1=strtolower($fr1);
$bkr2=strtolower($fr2);
$bkr3=strtolower($fr3);
//NOW COMPARISON FOR EACH VALUE IS DONE IN A WHILE LOOP BY 'mysql_fetch_row'
thank u all for your effort... it really meant a lot !