...

View Full Version : Problems with if statements



redfox
11-26-2010, 05:57 PM
Sorry for making another thread, but I am also having problems with some if else statements. Maybe you can take a gander and tell me if you see anything wrong:



<?php
/* See if variables are in URL, substitute if not */
if (count($_GET["sortby"])<= 0)
$sortby = "last";
else
$sortby = $_GET['sortby'];

if (count($_GET["order"])<= 0)
$order = "ASC";
else
$order = "DESC";

/* Apply sorting before display */
mysql_select_db($database_ballot, $ballot);
$query="SELECT * FROM votes ORDER BY $sortby $order";
$query2="SELECT * FROM votes";
$result=mysql_query($query);
$result2=mysql_query($query2);
$num=mysql_numrows($result2);

/* Apply order to link that is displayed */
if ($order=="ASC")
{
echo('<a href="index.php?sortby=first&order=DESC"><strong>
First Name:</strong></a>');
}
elseif ($order=="DESC")
{
echo('<a href="index.php?sortby=first&order=ASC"><strong>First Name:</strong></a>');
}
else
{
echo('error');
}
/* More links follow below, not repeated for the sake of space */
?>


So essentially, I have a page that displays MySQL results in a table. They display in a certain order according to the variables in the URL. It displays them just fine when there are variables in the URL, however it will not apply a value to it when it's just the index.php. So Problem #1, I cannot get it to display by default the last name ascending. Problem #2, for the links I can go to the index without variables, click on the link, with it being DESC, while the URL var is DESC it will be the ASC link, I click it again and the link is ASC from then out while the URL var is ASC.

Thanks again

mlseim
11-26-2010, 06:55 PM
I'm not sure what "count" is doing for your $_GET variables ...
But assign a default before you $_GET any.



<?php

// default values
$sortby="first";
$order="ASC";

/* GET URL variables, if any */
if ($_GET['sortby']){
$sortby = $_GET['sortby'];
}
if ($_GET['order']){
$order = $_GET['order'];
}

// rest of your script here ...

?>



EDIT:
I should add this, because it's important ...

You are letting the user input things into your query without sanitizing anything.
That's a security issue (as with SQL injections).

I suggest you use codes instead ... so the user doesn't have control over them.
Never let a user input anything directly into a MySQL query. Either do this:
http://php.net/manual/en/function.mysql-real-escape-string.php

or, use some codes like shown below ... where only you determine what goes into the query.

Like this:

echo('<a href="index.php?sortby=1&order=1"><strong>First Name:</strong></a>');

Then, you define what the codes are ....


<?php

/* GET URL variables, if any */
if ($_GET['sortby']){
$s = $_GET['sortby'];
}
if ($_GET['order']){
$o = $_GET['order'];
}

$sortby="first";
if($s == 2){
$sortby="last";
}
if($s == 3){
$sortby="email";
}
if($s == 4){
$sortby="phone";
}

$order="ASC";
if($o == 2){
$order="DESC";
}

// rest of your script here ...

?>





.

redfox
11-26-2010, 11:24 PM
With your bit of code, I was still getting a myriad of notices when no variables where in the URL, however I just said to heck with it and turned off the notices. :) haha. Thanks for your help!

Also about the SQL injections, it is basically going to be something for my school and these where going to be shown in a authentication protected admin panel, so I wasn't too worried, but once again, thanks for the advice!



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum