PDA

View Full Version : desperate still can't match info

lynettes
12-22-2004, 04:19 AM
I fixed one problem only to cause new one. I was getting duplicates because I asked for distinct record nums too. Now that I have fixed that, I'm getting no books found because I have no record num to match too how do I store first and last names to match to?
===========================================================
//********************************************************************************************
//GETS DATA
//********************************************************************************************
$SQL = "SELECT DISTINCT author_last_name, author_first_name FROM $DB_TABLE ORDER BY author_last_name, author_first_name";
$RESULT = mysql_query($SQL, $CONNECTION) OR die("Query failed.");
$NUM = mysql_num_rows($RESULT);
//********************************************************************************************
//********************************************************************************************
?>

<FORM METHOD='post' ACTION='authorsearch.php'>
<SELECT NAME='authorwanted'>
<OPTION VALUE='0' SELECTED>--- Browse Authors ---</OPTION>
<?PHP
//********************************************************************************************
//POPULATES COMBO BOX
//********************************************************************************************
while ($ROW = mysql_fetch_array($RESULT))
{
//$RECORD = $ROW["record_num"];
$LNAME = $ROW["author_last_name"];
$FNAME = $ROW["author_first_name"];
echo "<OPTION VALUE='$LNAME, $FNAME'>$LNAME, $FNAME</OPTION>";

}
//********************************************************************************************
//********************************************************************************************
?>
</SELECT>
<BR><BR>
<INPUT TYPE='SUBMIT' VALUE='View the Details!'>
</FORM>

<?PHP
//********************************************************************************************
//RETURNS INFO REQUESTED
//********************************************************************************************
if(isset($_POST['authorwanted']))
{
$RECORD = $_POST['authorwanted'];
$SQL1 = "SELECT * FROM $DB_TABLE WHERE author_last_name, author_first_name = '" . $_POST["authorwanted"] . "' ORDER BY title";
$RESULT1 = mysql_query($SQL1, $CONNECTION) OR die("Query failed." );
$NUM1 = mysql_num_rows($RESULT1);
$LNAME1 = 'author_last_name';
$FNAME1 = 'author_first_name';
if ($NUM1 == 0)
{
echo "No books found";
}
elseif ($NUM1 > 0)
{
echo "<BR><BR>";
echo "<H3><U>$FNAME1 $LNAME1</U> has $NUM1 book(s) in the collection.</H3>";
echo "<BR>";
echo "<TABLE WIDTH='500' ALIGN='center' CELLSPACING='2' CELLPADDING='2' BORDER='1' FRAME='box'>";
}
while($ROW = mysql_fetch_array($RESULT1))
{
$TITLE = $ROW["title"];
$CALL1 = $ROW["call_number_1"];
$CALL2 = $ROW["call_number_2"];
$PAGES = $ROW["number_of_pages"];
$SUBJECT = $ROW["subject"];
$ISBN = $ROW["isbn"];
$SUBHEADINGS = $ROW["subheadings"];

echo "<TR><TD COLSPAN='4'><STRONG>$TITLE</STRONG></TD></TR>";
echo "<TR><TD><STRONG>Call Number(s):</STRONG></TD><TD COLSPAN='3'>$CALL1<BR>$CALL2</TD></TR>";
echo "<TR><TD><STRONG>ISBN:</STRONG></TD><TD>$ISBN</TD><TD><STRONG>Subject:</STRONG></TD><TD>$SUBJECT</TD></TR>";
echo "<TR><TD><STRONG>Subheadings:</STRONG></TD><TD COLSPAN='3'>$SUBHEADINGS</TD></TR>";
}
echo "</TABLE>";
}
//********************************************************************************************
//********************************************************************************************
?>
Fou-Lu
12-22-2004, 09:17 AM
This is where your trouble is I assume? Appears that your authorswanted is probably populated, but not how you want it to work.

//************************************************** ******************************************
//RETURNS INFO REQUESTED
//************************************************** ******************************************
if(isset($_POST['authorwanted']))
{
$RECORD = $_POST['authorwanted'];
$SQL1 = "SELECT * FROM $DB_TABLE WHERE author_last_name, author_first_name = '" . $_POST["authorwanted"] . "' ORDER BY title";
$RESULT1 = mysql_query($SQL1, $CONNECTION) OR die("Query failed." );
$NUM1 = mysql_num_rows($RESULT1);
$LNAME1 = 'author_last_name';
$FNAME1 = 'author_first_name';
if ($NUM1 == 0)
{
echo "No books found";
}
elseif ($NUM1 > 0)
{
echo "<BR><BR>";
echo "<H3><U>$FNAME1 $LNAME1</U> has $NUM1 book(s) in the collection.</H3>";
echo "<BR>";
echo "<TABLE WIDTH='500' ALIGN='center' CELLSPACING='2' CELLPADDING='2' BORDER='1' FRAME='box'>";
}
while($ROW = mysql_fetch_array($RESULT1))
{
$TITLE = $ROW["title"];
$CALL1 = $ROW["call_number_1"];
$CALL2 = $ROW["call_number_2"];
$PAGES = $ROW["number_of_pages"];
$SUBJECT = $ROW["subject"];
$ISBN = $ROW["isbn"];
$SUBHEADINGS = $ROW["subheadings"];

echo "<TR><TD COLSPAN='4'><STRONG>$TITLE</STRONG></TD></TR>";
echo "<TR><TD><STRONG>Call Number(s):</STRONG></TD><TD COLSPAN='3'>$CALL1<BR>$CALL2</TD></TR>";
echo "<TR><TD><STRONG>ISBN:</STRONG></TD><TD>$ISBN</TD><TD><STRONG>Subject:</STRONG></TD><TD>$SUBJECT</TD></TR>";
echo "<TR><TD><STRONG>Subheadings:</STRONG></TD><TD COLSPAN='3'>$SUBHEADINGS</TD></TR>";
}
echo "</TABLE>";
}
//************************************************** ******************************************
//************************************************** ******************************************
?>

The problem here, is that you are searching for a first name under first, last. You need to split these up, there are ways to do this, you can serialze it as an array and send it through (which is probably what I would do), or you can explode each on the ', ' instead. Lets stick with what you have here:

Your $_POST will be populated as follows:
$_POST = array([authorswanted] => #LNAME, #FNAME);
You need to split these up. For your current method, you can use explode on your authorswanted page.


if(isset($_POST['authorwanted']))
{
$RECORD = explode(', ', $_POST['authorwanted']);
$LNAME1 = $RECORD[0];
$FNAME1 = $RECORD[1];
$SQL1 = "SELECT * FROM $DB_TABLE WHERE author_last_name = '" . $LNAME1 . "', author_first_name = '" . $FNAME1 . "' ORDER BY title";
$RESULT1 = mysql_query($SQL1, $CONNECTION) OR die("Query failed." );
$NUM1 = mysql_num_rows($RESULT1);

// I'd then change this:
if ($NUM1 == 0)
{
echo "No books found";
}
elseif ($NUM1 > 0)
{
echo "<BR><BR>";
echo "<H3><U>$FNAME1 $LNAME1</U> has $NUM1 book(s) in the collection.</H3>";
echo "<BR>";
echo "<TABLE WIDTH='500' ALIGN='center' CELLSPACING='2' CELLPADDING='2' BORDER='1' FRAME='box'>";
}

// To this:
if ($NUM1 <= 0)
{
echo "No Books Found!";
}
else
{
echo "<BR><BR>";
echo "<H3><U>$FNAME1 $LNAME1</U> has $NUM1 book(s) in the collection.</H3>";
echo "<BR>";
echo "<TABLE WIDTH='500' ALIGN='center' CELLSPACING='2' CELLPADDING='2' BORDER='1' FRAME='box'>";
}

A simple change. No need to use elseif in there, since you are only evaluating if the numbers are lessthan or equal to zero, or if they are greater then, you only need an if -> else.

Also, please check this article out relating to securing your mysql queries, as these adjustments have not taken these into effect.
http://ca3.php.net/manual/en/security.database.sql-injection.php