Hello im trying to swamp all my php scripts oto a new html template. This script was working be for i swapped it over to the new template but now it has stopped working...
I think maybe i could be missing a ' or have a space some were were i shouldn't
Here is my page
<?php
include 'config.php';
$myName = $_POST['myName'] ;
$mydropdown = $_POST['mydropdown'] ;
$_POST['mydropdown'] = mysql_real_escape_string($_POST['mydropdown']);
$_POST['myName'] = mysql_real_escape_string($_POST['myName']);
$sql = "SELECT * FROM user_pokemon WHERE id='".$_POST['myName']."'";
$result = mysql_query($sql) or die(mysql_error());
$battle_get = mysql_fetch_array($result);
$result = mysql_query("UPDATE user_pokemon SET slot=".$_POST['mydropdown']." WHERE id = '".$_POST['myName']."'")
or die(mysql_error());
?>
In side the config.php file i have the sql connect and and the session start which works fine on other page's so i don't think it is that im getting this error
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id = ''' at line 1
I have a php form which posts to this page.
echo '
<div class="auction_box" style="height:150px">
<form name="myform" action="http://pokemontoxic.net/newy/testing.php" method="POST">
<p> </p>
<p> </p>
<p> </p>
<img src="http://pokemontoxic.net/'.$battle_get['pic'].'" height="96px" width="96px"/><br/>
Name:<br/>' .$v->pokemon. '<br/>
Level:' .$v->level. '<br/>
Exp:' .$v->exp. '<br/>
Slot you want to put your pokemon in
<select name="mydropdown">
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
<option value="6">6</option>
</select>
<input type="hidden" name="myName" value="' . $v->id . '" />
<input type="submit" value="Submit" />
</form>
Which works fine but is sending the info over to the top bit of code.
Let me see. i think this code is redundunt change it
$myName = $_POST['myName'] ;
$mydropdown = $_POST['mydropdown'] ;
$_POST['mydropdown'] = mysql_real_escape_string($_POST['mydropdown']);
$_POST['myName'] = mysql_real_escape_string($_POST['myName']);
to this :
$myName = mysql_real_escape_string($_POST['myName']);
$mydropdown = mysql_real_escape_string($_POST['mydropdown']);
and on your select query try this if it does not solve tell me the error:
$sql = "SELECT * FROM user_pokemon WHERE id='{$myName}'";
Related
I have basic question about storing $variable data and later use in html script, anyone who can help me? Right now, the variable $gset is not stored.
<?php
// Update Strictness value
if(isset($_POST['strictness'])){
$gset = $_POST['strictness'];
$strictnessUpdate = "UPDATE users SET strictness = '$gset' WHERE user_id = 1";
mysqli_query($conn, $strictnessUpdate);
echo "strictness value updated";
}
?>
<form method="POST" class="form-align" action="">
<h5 class="my-6">Current Strictness :</h5> <?php echo $gset; ?><br>
<select name="strictness" required>
<option value=""></option>
<option value="15">15</option>
<option value="31">31</option>
</select>
<input type="submit" name="substrict" value="CHANGE">
</form>
<?php
$_grabStrictness ="SELECT strictness FROM users WHERE id = 1";
$gs_query = mysqli_query($conn, $_grabStrictness);
$gs_result = mysqli_fetch_array($gs_query);
if ($gs_result > 0) {
while ($result = mysqli_fetch_array($gs_query)) {
$gset = $result['strictness'];
}
}
if(isset($_POST['strictness'])){
$gset = $_POST['strictness'];
$strictnessUpdate = "UPDATE users SET strictness = '$gset' WHERE user_id = 1";
mysqli_query($conn, $strictnessUpdate);
echo "strictness value updated";
}
?>
<form method="POST" class="form-align" action="setStrictness(<?php $conn ?>)">
<h5 class="my-6">Current Strictness :</h5> <?php echo $gset; ?><br>
<select name="strictness" required>
<option value=""></option>
<option value="15">15</option>
<option value="31">31</option>
</select>
<input type="submit" name="substrict" value="CHANGE">
</form>
I'd like to create "Exact Search" with multiple options but the answer says "Could not search".
In the table, price, one and pre are rows.
If the answer matches one and pre, the separated price will be come out. If not, the reply will be "Try agian".
Edited : I have three tables - pre, one and price.
- KA 1 will win 100
- KA 5 will win 500
- MA 3 will win 100
- MA 1 will win 200
- BA 3 will win 800
Edited : I changed the code now and no error shown but the result was always 'Try Again'.
<?php
$output = NULL;
$link = mysqli_connect("localhost","root","","searchdemo") or die("Unable to select database" . mysqli_error($link));
if(isset($_GET['search'])){
$searchq = $_GET['search'];
$searchq = preg_replace("#[^0-9a-z]#i","",$searchq);
$query = mysqli_query ($link, "SELECT * FROM `345` WHERE pre = '$searchq' AND one = '$searchq'") or die("<b>Error</b> : ".mysqli_error($link));
$count = mysqli_num_rows($query);
if ($count == 0){
$output = 'Try Again';
}else{
while($row = mysqli_fetch_array($query)){
$onen = $row['one'];
$pren = $row['pre'];
$price = $row['price'];
$output = 'You won '.$price.' now';
}
}
}
?>
<form name="search1" action="index.php" method="GET">
<b>Prefix</b>
<select name="pre">
<option value="">Pick a prefix</option>
<option value="Ka">Ka</option>
<option value="Ba">Ba</option>
<option value="Ma">Ma</option>
</select>
<b>Number</b>
<select name="one">
<option value="">Pick a number</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>
<input type="submit" name="search" value="Search" />
</form>
<?php
print ("$output");
//echo ($output);
?>
If die() is called, it means that the query failed, so I'd start looking for a reason there.
You are missing WHERE in your query, it should start with
SELECT * FROM 345 WHERE ...
Keep in mind that your code is open for SQL injecion attack. You must to escape all user input that gets into your query.
Simplest way to do it is to use http://php.net/manual/en/function.mysql-real-escape-string.php (deprecated since PHP 5.5) or http://php.net/manual/en/mysqli.real-escape-string.php. You could also use PDO prepared statements for your queries (http://php.net/manual/en/book.pdo.php)
Some general pointers for you here:
You need a WHERE clause in your SQL statement to define the criteria of your search. The search will work without it but it will return everything, which is not what you want. (This has already been fixed)
You need a AND or an OR statement between your variables, in your WHERE clause, because you are asking "show this WHERE condition1 is true AND/OR condition2 is true"
Replace your die command with a better and more informative feedback:
This will output why the search failed. Use this to fix further errors.
or die("Could not search: ".mysql_error());
As mentioned by jedrzej.kurylo, you are wide open for injection attacks on your database and it is very important to fix these, either as they suggest or by upgrading your code to using MySQLi or PDO . Do this now while you're still learning the basics of SQL because it's far better than getting into the bad habit of using old, deprecated and insecure MySQL.
Finally I got the answer and that was so easy. What a dumb I am! :)
I do really thanks to #Martin and #jedrzej.kurylo
<?php
$output = NULL;
$link = mysqli_connect("localhost","root","","searchdemo") or die("Unable to select database" . mysqli_error($link));
if(isset($_POST['search'])){
$spre = $_POST['pre'];
$sone = $_POST['one'];
$query = mysqli_query ($link, "SELECT * FROM `345` WHERE pre = '$spre' AND one = '$sone'") or die("<b>Error</b> : ".mysqli_error($link));
$count = mysqli_num_rows($query);
if ($count == 0){
$output = 'Try Again';
}else{
while($row = mysqli_fetch_array($query)){
extract($row);
$onen = $row['one'];
$pren = $row['pre'];
$price = $row['price'];
$id = $row['id'];
$output = 'You won '.$price.' now';
}
}
}
?>
<form name="search1" action="index.php" method="POST">
<b>Prefix</b>
<select name="pre">
<option value="">Pick a prefix</option>
<option value="Ka">Ka</option>
<option value="Ba">Ba</option>
<option value="Ma">Ma</option>
</select>
<b>Number</b>
<select name="one">
<option value="">Pick a number</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">4</option>
<option value="5">5</option>
</select>
<input type="submit" name="search" value="SEARCHING" />
</form>
<?php
print ("$output <br />");
?>
I'm new to PHP and have created a very basic HTML form. As you can see in my form, the option values are all done by hand (there are more, I just simplified this example). What I want is for these to be generated dynamically using just PHP, so that I would physically have to add every single year etc.
I've done some searching but I can't seem to find exactly what I'm after so thought I'd ask here. From what I gather I need to create a query and echo out the option value somehow, although I'm not sure how to do this.
SELECT gameYear from games
I'd guess the above would be the correct query as all the form would need is the bookYear from the table?
<form id = "gameYear" method="get" action="result.php">
<label>
Game Year
<select name="gameYear">
<option value="2000">2000</option>
<option value="2001">2001</option>
<option value="2002">2002</option>
</select>
</label>
<input type = "submit" name="search" value = "Search">
</form>
Thanks, any help/guidance is appreciated.
<form id = "gameYear" method="get" action="result.php">
<label>
Game Year
<select name="gameYear">
<option value=''>--Select Year--</option>
<?php
$link = mysqli_connect("localhost", "my_user", "my_password", "world");
$SqlResult = mysqli_query($link, "SELECT gameYear from games");
while($Row = mysqli_fetch_array($SqlResult))
{
?>
<option value="<?php echo $Row['gameYear'] ?>"><?php echo $Row['gameYear'] ?></option>
}
?>
</select>
</label>
<input type = "submit" name="search" value = "Search">
</form>
<?php $sql = "SELECT gameYear from games order by gameYear ASC";
$result = mysql_query($sql, $connection) or die ("Couldn't perform query $sql <br />".mysql_error()); ?>
<form id="gameYear" method="get" action="result.php">
<label>Game Year
<select name="gameYear">
<?php while($row = mysql_fetch_array($result)){ ?>
<option value="<?php echo $row['gameYear'] ?>"><?php echo $row['gameYear']?></option>
<?php } ?>
</select>
</label>
<input type = "submit" name="search" value = "Search">
</form>
With this way, I get results from database and "print" them. But I don't know how I will update those results when I press the submit button!!! I just need an idea or something for the next step. Thank you in advance!!!
Here is an example of my code...
<?php // DATABASE QUERY
$query="SELECT countdown_module, hometeam_position
FROM jos_gm_nextmatch
WHERE id = 1";
$result=mysql_query($query);
// DATABASE VARIABLES
$countdown_module = mysql_result($result,$i,"countdown_module");
$hometeam_position = mysql_result($result,$i,"hometeam_position"); ?>
<form action="***.php" method="post" name="form">
<input name="countdown_module" value="<?php echo $countdown_module ?>" type="text" />
<select name="hometeam_position">
<option value="<?php echo $hometeam_position ?>"><?php echo $hometeam_position ?></option>
<option disabled="disabled" value="...">...</option>
<option value="1">1</option>
<option value="2">2</option>
<option value="3">3</option>
<option value="4">3</option>
<option value="5">5</option>
<input name="submit" type="submit" value="UPDATE" />
</form>
You would use the form action to redirect to a script where you do the update. On this script you can access the the forms input elements by using the $_POST array. As for how to do update queries, an example could be:
$query="UPDATE mytable
SET title = '".$title."', name = '".$name."', date = '".$date."'
WHERE id = ".$id;
$result=mysql_query($query);
UPDATE:
An example of the script could be:
$hometeam_position = $_POST['hometeam_position']; //access the selected option when submitting
$countdown_module = $_POST['countdown_module']; //access the text input
$query = "UPDATE jos_gm_nextmatch SET countdown_module = '".$countdown_module."', hometeam_position = '".$hometeam_position."' WHERE id = 1";
$result=mysql_query($query);
You could before or after selecting the fields from the database simply increment them
...
if (isset($_POST['submit'])) {
$stmt = "UPDATE jos_gm_nextmatch
SET countdown_module = " . $_POST['countdown_module'] .
" , hometeam_position =" . $_POST['hometeam_position'] .
" WHERE id=1";
mysql_query($stmt);
}
mysql_close();
How can I get the information from the database in the same php form that I inserted the data on it including the stored information in order to update the data in the database :
I used this update statement but there is an error on it :
$sql="UPDATE findings
SET Finding_ID=$_GET[Finding_ID], ServiceType_ID=$_GET[ServiceType_ID], RootCause_ID=$_GET[RootCause_ID] , RiskRating_ID=$_GET[RiskRating_ID] , Impact_ID=$_GET[Impact_ID] ,Efforts_ID= $_GET[Efforts_ID], Likelihood_ID= $_GET[Likelihood_ID], Finding=$_GET[Finding],Implication=$_GET[Implication] , Recommendation =$_GET[Recommendation] , Report_ID=$_GET[Report_ID]
WHERE Finding_ID=$Finding_ID, ServiceType_ID=$ServiceType_ID, RootCause_ID=$RootCause_ID , RiskRating_ID=$RiskRating_ID , Impact_ID=$Impact_ID ,Efforts_ID= $Efforts_ID, Likelihood_ID= $Likelihood_ID, Finding=$Finding,Implication=$Implication , Recommendation =$Recommendation , Report_ID=$Report_ID";
This is my code for the form that I will insert and update the data :
<?php
$con = mysql_connect("localhost","root","mevooo");
if (!$con)
{
die('Could not connect: ' . mysql_error());
}
?>
<form method="post" action="test.php">
<fieldset>
<legend>Insert New Data </legend>
<p> Service Name :
<select name="Services">
<option value=""> </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM servicetype_lookup ");
while($row = mysql_fetch_assoc($result)) {
$id = $row['ServiceType_ID'];
$value = $row['ServiceType_Name'];
echo "<option value='$id'>$value</option>";
}
?>
</select>
</p>
Ref : <input type="text" name="ref" /><br />
Title : <input type="text" name="title" /><br />
Risk Rating :
<select name="RiskRating">
<option value=""> -Select- </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM riskrating_lookup");
while($row = mysql_fetch_assoc($result)) {
$id = $row['RiskRating_ID'];
$value = $row['RiskRating_Name'];
echo "<option value='$id'>$value</option>";
}
?>
</select><br />
Root Cause :
<select name="RootCause">
<option value=""> -Select- </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM rootcause_lookup");
while($row = mysql_fetch_assoc($result)) {
$id = $row['RiskCause_ID'];
$value = $row['RiskCause_Title'];
echo "<option value='$id'>$value</option>";
}
?>
</select><br />
Impact :
<select name="impact">
<option value=""> -Select- </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM impact_lookup");
while($row = mysql_fetch_assoc($result)) {
$id = $row['Impact_ID'];
$value = $row['Impact_Name'];
echo "<option value='$id'>$value</option>";
}
?>
</select><br />
Likelihood :
<select name="likelihood">
<option value=""> -Select- </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM likelihood_lookup");
while($row = mysql_fetch_assoc($result)) {
$id = $row['Likelihood_ID'];
$value = $row['Likelihood_Name'];
echo "<option value='$id'>$value</option>";
}
?>
</select><br/>
Efforts :
<select name="Efforts">
<option value=""> -Select- </option>
<?php
mysql_select_db("ers_1", $con);
$result = mysql_query("SELECT * FROM efforts_lookup");
while($row = mysql_fetch_assoc($result)) {
$id = $row['Efforts_ID'];
$value = $row['Efforts_Name'];
echo "<option value='$id'>$value</option>";
}
?>
</select><br/>
Finding : <br/>
<TEXTAREA NAME="Finding" COLS=100 ROWS=10>
</TEXTAREA>
<br/>
Implication: <br/>
<TEXTAREA NAME="Implication" COLS=100 ROWS=10>
</TEXTAREA>
<br/>
Recommendation : <br/>
<TEXTAREA NAME="Recommendation" COLS=100 ROWS=10>
</TEXTAREA>
<br/><input type="submit" value=" Save " onclick="window.location.href='Database.php'" />
</fieldset>
</form>
<?php
mysql_select_db("ers_1", $con);
$sql="UPDATE findings
SET Finding_ID=$_GET[Finding_ID], ServiceType_ID=$_GET[ServiceType_ID], RootCause_ID=$_GET[RootCause_ID] , RiskRating_ID=$_GET[RiskRating_ID] , Impact_ID=$_GET[Impact_ID] ,Efforts_ID= $_GET[Efforts_ID], Likelihood_ID= $_GET[Likelihood_ID], Finding=$_GET[Finding],Implication=$_GET[Implication] , Recommendation =$_GET[Recommendation] , Report_ID=$_GET[Report_ID]
WHERE Finding_ID=$Finding_ID AND ServiceType_ID=$ServiceType_ID AND RootCause_ID=$RootCause_ID AND RiskRating_ID=$RiskRating_ID AND Impact_ID=$Impact_ID AND Efforts_ID= $Efforts_ID AND Likelihood_ID= $Likelihood_ID AND Finding=$Finding AND Implication=$Implication AND Recommendation =$Recommendation AND Report_ID=$Report_ID";
mysql_real_escape_string($insert);
mysql_real_escape_string($Finding_ID);
if (!mysql_query($sql,$con))
{
die('Error: ' . mysql_error());
}
echo "1 record updated .";
mysql_close($con);
?>
<input type="button" value="HOME" onclick="location='Database.php'
">
And this is the error :
Notice: Undefined index: Finding_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined index: ServiceType_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined index: RootCause_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined index: RiskRating_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined index: Impact_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined index: Efforts_ID in C:\xampp\htdocs\ers\edit.php on line 122
Notice: Undefined variable: Finding_ID in C:\xampp\htdocs\ers\edit.php on line 126
Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' ServiceType_ID=, RootCause_ID= , RiskRating_ID= , Impact_ID= ,Efforts_ID= , Lik' at line 2
The condition of WHERE should be using AND, OR instead of comma.
WHERE Finding_ID=$Finding_ID, ServiceType_ID=$ServiceType_ID,....
SHOULD BE
WHERE Finding_ID=$Finding_ID AND ServiceType_ID=$ServiceType_ID AND ...
Your query is basically a welcome door to your database to everyone.
1st: Don't ever use direct get parameters inside query. Work with them at first.
2nd: Always add '' even if it's a number. Gives you some extra security.
3rd: WHERE parameters are separated with AND or OR
<?php
// Convert your ID's to INT ( or other specific type you use )
$_Finding_ID = (int)$_GET['Finding_ID'];
$_ServiceType_ID = (int)$_GET['ServiceType_ID'];
$_RootCause_ID = (int)$_GET['RootCause_ID'];
$_RiskRating_ID = (int)$_GET['RiskRating_ID'];
$_Impact_ID = (int)$_GET['Impact_ID'];
$_Efforts_ID = (int)$_GET['Efforts_ID'];
$_Likelihood_ID = (int)$_GET['Likelihood_ID'];
$_Finding = (int)$_GET['Finding'];
$_Implication = (int)$_GET['Implication'];
$_Recommendation = (int)$_GET['Recommendation'];
$_Report_ID = (int)$_GET['Report_ID'];
$sql = "UPDATE
findings
SET
Finding_ID = '".$_Finding_ID."',
ServiceType_ID = '".$_ServiceType_ID."',
RootCause_ID = '".$_RootCause_ID."',
RiskRating_ID = '".$_RiskRating_ID."',
Impact_ID = '".$_Impact_ID."',
Efforts_ID = '".$_Efforts_ID."',
Likelihood_ID = '".$_Likelihood_ID."',
Finding = '".$_Finding."',
Implication = '".$_Implication."',
Recommendation = '".$_Recommendation."',
Report_ID = '".$_Report_ID."'
WHERE
Finding_ID = '".$Finding_ID."'
AND ServiceType_ID ='". $ServiceType_ID."'
AND RootCause_ID = '".$RootCause_ID."'
AND RiskRating_ID = '".$RiskRating_ID."'
AND Impact_ID = '".$Impact_ID."'
AND Efforts_ID = '".$Efforts_ID."'
AND Likelihood_ID = '".$Likelihood_ID."'
AND Finding = '".$Finding."'
AND Implication = '".$Implication."'
AND Recommendation = '".$Recommendation."'
AND Report_ID = '".$Report_ID."'";
?>
Of course there are many more precautions you can do, but this should do best at start.
PS: Long queries are easier to manage and read when divided like that; and try to keep your code clean and pretty. No one likes a scrambled code to work with.