Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 10 of 10
  1. #1
    New Coder
    Join Date
    Jan 2013
    Posts
    12
    Thanks
    2
    Thanked 0 Times in 0 Posts

    Question about "isset"

    I'm wondering if the following is even possible, and if so, how do I go about fixing what I already have.

    So when I go to "stats.php?STAT_ID=X" I want it to grab and run a query based on what X is.


    PHP Code:
    if (isset($_GET['STAT_ID']))
    {
        if (
    get_magic_quotes_gpc())
        {
            
    $_GET['STAT_ID'] = stripslashes($_GET['STAT_ID']);
        }
        
    $stat_id mysql_real_escape_string($_GET['STAT_ID']);


    echo 
    '<table width="575" align="center" cellspacing="0">';
    echo 
    '<tr>';
    echo 
    '<td valign="top" align="left" width="575">';

    $sql 'SELECT Pos, FName, LName, Year, \'' $stat_id '\' '
            
    ' FROM batters_career_stats '
            
    ' GROUP BY Pos, FName, LName, Year '
            
    ' ORDER BY \'' $stat_id '\' DESC '
            
    ' LIMIT 50'
         
    $result mysql_query($sql) or die(mysql_error());


    echo 
    "<table border='0' cellpadding='2' cellspacing='0' width='575'>";
    echo 
    "<tr class='header'>  <td width='15'>Rk.</td> <td align='right' width='385'>Player</td> <td width='175' align='right'>Stat</td></tr>";

    $i=0
    while($row mysql_fetch_assoc$result ))  
    {
        
    printf('<tr class="odd">
            <td align="right">%d.</td>
            <td align="right">%s %s, %d</td>
            <td align="right">%d</td>
            </tr>' 
    PHP_EOL$i$row['FName'], $row['LName'], $row['Year'], $row['?????']);


    echo 
    "</table>";


    When I've played around with what goes in the ?????? I've only come away with errors. Any ideas?

    Thanks in advance!

  • #2
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    Wrong:
    Code:
           . ' ORDER BY \'' . $stat_id . '\' DESC '
    Right:
    Code:
           . ' ORDER BY `'' . $stat_id . '` DESC '
    Those characters I changed to are BACK TICKS. The ` character usually shares the keyboard key with the ~ tilde character.

    I am *assuming* that $stat_id is supposed to be the name of an existing field (a.k.a. "column", though that's a misnomer) in the table.

    And if that is so, then THIS line is also a mistake:
    Code:
        $stat_id = mysql_real_escape_string($_GET['STAT_ID']);
    you do *NOT* want to escape a field name the same way you would a text data item.

    Unless you have field names that include spaces or other non-standard characters, I wouldn't use
    Code:
        stripslashes($_GET['STAT_ID']);
    either. Almost surely all you want to do is verify that $_GET['STAT_ID'] contains no characters other than letters, digits, and maybe underlines (if you use underlines in your field names). If not, simply reject the entire request, because then STAT_ID can't possibly be a valid field name.

    Tell you what, give me a list of *ALL* the field names in your batters_career_stats table and we will rewrite this simpler.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #3
    New Coder
    Join Date
    Jan 2013
    Posts
    12
    Thanks
    2
    Thanked 0 Times in 0 Posts
    So I've got: PNum, Team_ID, POS_ID, Pos, FName, LName, Team, Year, G, AB, H, R, 2B, 3B, HR, RBI, BB, HP, K, SB, CS

    So yeah I'm looking to write a simple code and .php file that will get the the top 50 for the above stat (all those after Year) that I choose, rather than writing a different .php file for each.

    Along the same lines, not sure if it's possible, but say I needed to use multiple stats in the same query. For instance AVG would be H/AB. I could obviously just simply write another .php file for that specific stat, but if this could somehow be dealt with in one code that would be great.

  • #4
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    So instead of mucking with all this stuff:
    Code:
        if (get_magic_quotes_gpc()) 
        { 
            $_GET['STAT_ID'] = stripslashes($_GET['STAT_ID']); 
        } 
        $stat_id = mysql_real_escape_string($_GET['STAT_ID']);
    which is utterly wrong, anyway, for a *FIELD* name, why not simply look for what is allowed and reject anything else?

    Code:
    <html>
    <head>
    <style type="text/css">
    tr.even { background-color: white; }
    tr.odd  { background-color: #eeeeee; }
    tr.even td, tr.odd td { text-align: right; }
    </styl>
    </head>
    <body>
    <?php
    
    if (! isset($_GET['STAT_ID'])) 
    { 
        echo "Invalid selection...hit BACK and try again.";
        exit();  // maybe should be just exit without ()?
    }
    
    $fld = $_GET["STAT_ID"];
    switch ( $fld )
    {
        case "G": case "AB": case "H": case "R": case "2B": case "3B": 
        case "HR": case "RBI": case "BB": case "HP": case "K": case "SB": case "CS" :
            // simple field name...use it AS IS
            $fname = $fld;
            $sname = $fld;
            $pname = $fld;
            break;
    
        case "AVG":
            // batting average:
            $fname = " (H/AB) AS `AVG` ";
            $sname = "`AVG`";
            $pname = "AVG";
            break;
    
        case "OBP":
            // on base percentage:
            $fname = " ((H+HP+BB)/AB) AS OBP ";
            $sname = "OBP"
            $pname = "OBP";
            break;
    
        default:
            echo "Invalid selection...hit BACK and try again.";
            exit();  // maybe should be just exit without ()?
    }
    ?>
    
    <table width="575" align="center" cellspacing="0">
    <tr>
        <td>Rank</td>
        <td>Player</td>
        <td>Position</td>
        <td>Year</td>
        <td><?php echo $pname; ?></td>
    </tr>
    <?
    ... make the db connection here ...
    
    $sql = "SELECT CONCAT(Fname,' ',Lname) AS player, Pos, Year, $fname " 
         . " FROM batters_career_stats ORDER BY $sname DESC LIMIT 50";
    $result = mysql_query($sql) or die(mysql_error()); 
    
    $rank = 1;
    while($row = mysql_fetch_assoc( $result ))   
    { 
        $player = $row["player"];
        $pos    = $row["pos"];
        $year   = $row["year"];
        $stat   = $row[$pname];
        $cls = ($rand % 2 == 0 ) ? "even" : "odd";
        echo "<tr class="$cls"><td>$rank</td><td>$player</td><td>$pos</td><td>$year</td><td>$stat</td></tr>\n";
    
        ++$rank;
    }  
    ?>
    </table>
    </body>
    </html>
    Please understand that I don't use PHP, so apologies if there are minor PHP errors there.
    Last edited by Old Pedant; 01-25-2013 at 10:53 PM.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #5
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    And I think I have OBP correct. You can easily fix that. And you can see how to derive other stats, as well. No?

    Note that AVG needs those back ticks around it `AVG` because AVG is a MySQL keyword.

    It can't hurt to put them around other fields.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #6
    New Coder
    Join Date
    Jan 2013
    Posts
    12
    Thanks
    2
    Thanked 0 Times in 0 Posts
    Hmm, after tying up a few loose ends on the php side, I'm just getting a blank page.

    Looking at the html source it's showing a repetition of the following:

    PHP Code:
    <tr class="$cls"><td>$rank</td><td>$player</td><td>$pos</td><td>$year</td><td>$stat</td></tr>

  • #7
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    Whoops...I had " inside of ".

    Code:
        echo "<tr class=\"$cls\"><td>$rank</td><td>$player</td><td>$pos</td><td>$year</td><td>$stat</td></tr>\n";
    Need to "escape" the internal quotes.

    Hey, I told you I don't code in PHP. <grin/> (But I should have caught that one...so should you.)
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • Users who have thanked Old Pedant for this post:

    bayken37 (01-26-2013)

  • #8
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    *IF* that doesn't work--but I think it should--you can go back to your printf() solution.

    But just use my variable names, including especially $stat, in place of what you were using.
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.

  • #9
    New Coder
    Join Date
    Jan 2013
    Posts
    12
    Thanks
    2
    Thanked 0 Times in 0 Posts
    After more tweaking, I was wondering how to go about making two "isset"s for one page.

    So previously we had it by STAT_ID what if I also wanted to grab those STAT values for whichever TEAM_ID I put in?

    /../stats.php?STAT_ID=AVG&Team_ID=ATL

    is this something that I need to add to the isset function?

  • #10
    Supreme Master coder! Old Pedant's Avatar
    Join Date
    Feb 2009
    Posts
    25,447
    Thanks
    76
    Thanked 4,372 Times in 4,337 Posts
    Do you know what isset means???

    Apparently not. Look here:
    http://php.net/manual/en/function.isset.php

    isset is NOTHING BUT a simple builtin PHP function that allows you to test to see if there is any value there at all.

    You don't even NEED to use it for STAT_ID if you use the code I showed you, because that code will only allow certain values for STAT_ID and reject the rest.

    Now... If you want to make the team abbreviation *optional* then, yes, using isset with it is a good idea. If you want to make it required, you can still use it though you would do so differently.

    You could alter the code above like this (stuff added is in red, rest stays the same):
    Code:
    <?
    ... make the db connection here ...
    
    $team = $_GET["TEAM_ID"];
    if ( isset($team) && strlen($team) == 3 ) /* assumes all are 3 letter abbreviations */
    {
        $where = " WHERE team_id = '" . mysql_real_escape_string($team) . "' ";
    } else
        $where = "";
    }
    
    $sql = "SELECT CONCAT(Fname,' ',Lname) AS player, Pos, Year, $fname " 
         . " FROM batters_career_stats $where ORDER BY $sname DESC LIMIT 50";
    $result = mysql_query($sql) or die(mysql_error()); 
    
    ...
    An optimist sees the glass as half full.
    A pessimist sees the glass as half empty.
    A realist drinks it no matter how much there is.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •