Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 2 of 2
  1. #1
    New to the CF scene
    Join Date
    May 2012
    Posts
    5
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Exclamation PHP/MYSQL logic and query problem!

    Hi,

    I am making a search form on my website and I need to check if certain values are empty when the user clicks submit. I need to take the values that aren't empty and extract the data from a MYSQL database and then print out the return. If you can help with my logic in the code because the query isn't working.

    !!!EDIT!!!:

    Hi,
    I have fixed the problem but now whenever I don't specify all the variables available from my form I get this for my query when I print it out:

    Code:
    SELECT * FROM IB2FILES WHERE type='text/rtf' AND name='' AND subject='History' AND size<=''
    Please help me out here it must be my syntax or logic!

    Thanks, again eric

    !!!EDIT TWO!!!

    Hi,

    Hahaha I fixed all my problems and it is working great just wanted someone to close this thread (I don't know how).

    Thanks if anyone tried to help

    IB2Downloads.php
    PHP Code:
    <?php

    $Server
    ="xxxx";
    $User="xxxx";
    $Password="xxxx";
    $Database="xxxx";
    $con mysql_connect($Server,$User,$Password);

    $FNAME $_POST['FLN'];
    $FTYPE $_POST['Type'];
    $FSUBJECT $_POST['Subject'];
    $FSIZE $_POST['FS'];
    $counter 0;

    if(!
    $con){
        
        die(
    "Couldn't Connect " mysql_error());
        
    }

    mysql_select_db($Database,$con);

    $FSIZE "'" $FSIZE "'"
    $FTYPE "'" $FTYPE "'";    
    $FNAME "'" $FNAME "'";    
    $FSUBJECT "'" $FSUBJECT "'"

    if(!empty(
    $FTYPE)){
        
        if(
    $counter>=1){
        
        
    $type=" AND type=" .$FTYPE;
        
    $specify $specify $type;
        
        }else{
        
        
    $counter $counter 1;
        
    $type " type=" $FTYPE;
        
    $specify " WHERE" $type;
        
        }
    }    
    if(!empty(
    $FNAME)){
        
        if(
    $counter>=1){
        
        
    $name=" AND name=" .$FNAME;
        
    $specify $specify $name;
        
        }else{
        
        
    $counter $counter 1;
        
    $name " name=" $FNAME;
        
    $specify " WHERE" $name;
        
        }
    }
    if(!empty(
    $FSUBJECT)){
        
        if(
    $counter>=1){
        
        
    $subject=" AND subject=" .$FSUBJECT;
        
    $specify $specify $subject;
        
        }else{
        
        
    $counter $counter 1;
        
    $subject " subject=" $FSUBJECT;
        
    $specify " WHERE" $subject;
        
        }
    }
    if(!empty(
    $FSIZE)){
        
        if(
    $counter>=1){
        
        
    $size=" AND size<=" $FSIZE;
        
    $specify $specify $size;
        
        }else{
        
        
    $counter $counter 1;
        
    $size " size=" $FSIZE;
        
    $specify " WHERE" $size;
        
        }
    }    

    if(
    $counter >= 1){

    $sql "SELECT * FROM IB2FILES" $specify;
    }else{
    $sql "SELECT * FROM IB2FILES";
    }

    echo 
    $sql;

    $ctq mysql_query($sql,$con);
    $rows mysql_num_rows($ctq);
    if (!
    $ctq)
    {
        die(
    "SQL Error! Query is $sql<br />Error is ".mysql_error());
    }

    ?>

    <!DOCTYPE html>
    <html lang="en">
    <head>
        
        <title>IB2 Download Page</title>
        
    <style type=text/css>
                
                ul
    {
    list-style-type:none;
    margin:0;
    padding:0;
    overflow:hidden;
    }
    li
    {
    float:left;
    }
    .links
    {
    display:block;
    width:180px;
    color:black;
    background-color:lightblue;
    text-align:center;
    padding:4px;
    border:2px;
    border-color:black;
    text-decoration:underline;
    text-transform:uppercase;
    }
    .loginsignupbox{
        
    <!-- position:absolute;
    top:5%;
    right:2.7%; -->
    float:right;
    background-color: lightblue;
    overflow:hidden;
    border-bottom-right-radius:10px;
        
        
    }
    .user{
        
        
        border-radius:10px;
        
    }
    .pass{
        
        border-radius:10px;
        
    }
                
                
            </style>    
        
    </head>
    <body>

    <ul>
            <li><a class="links" href="index.html">Home</a></li>
            <li><a class="links" href="news.html">News</a></li>
            <li><a class="links" href="contact.html">Contact</a></li>
            <li><a class="links" href="about.html">About</a></li>
            <li><a class="links" href="filelist.html">Permitted File List</a></li>
            <li><div class="loginsignupbox"></div></li>
        </ul>
        
        <form action="login.php" method=post enctype=text/plain>
            
            Username: <input class="user" name="usern" type=text />
            Password: <input class="pass" name="passw" type=password /> 
            <input class="loginbox" name="submit" value="Login" type=submit />
            <link class="signupbox"><a href="signup.html">Sign Up</a></link>
            
        </form>

    <center><h1 style='font-size:30px;'>Downloads</h1></center>


    <?php
    while ($row mysql_fetch_assoc($ctq)) {
            
        echo 
    "<form method=get>";    
        echo 
    "<table>";    
        echo 
    "<tr> <td>";
        echo 
    "Name: ";
        echo 
    $row['name'];
        echo 
    "</td> </tr> <tr> <td>";
        echo 
    "Type: ";
        echo 
    $row['type'];
        echo 
    "</td> </tr> <tr> <td>";
        echo 
    "Subject: ";
        echo 
    $row['subject'];
        echo 
    "</td> </tr> <tr> <td>";
        echo 
    "Size: ";
        echo 
    $row['size'];
        echo 
    " bytes";
        echo 
    "</td> </tr> <tr> <td>";
        echo 
    "File: ";
        echo 
    " ";
        echo 
    "<a href=dl.php?id=" $row['id'] . "&size=" $row['size'] . "&file=" $row['size'] . ">Download File</a>";
        echo 
    "</td> </tr> <tr> <td>";
        echo 
    "</table>";
        echo 
    "</form>";
    }


    ?>

        
        <center><h1>Advanced Search<h1>
        <br />
        
        
        <form action="IB2Downloads.php" method=post>
        <table border="1px;">
            
            <tr><td>File Name</td><td>Type</td><td>Subject</td><td>Maximum Size</td></tr>
            <tr>
                <td><input type=text name='FLN' /></td>
                <td>
                    <select name='Type'>
                        
                        <option value="ppt">Powerpoint</option>
                        <option value="text/rtf">Text/rtf</option>
                        <option></option>
                        <option></option>
                        <option></option>
                    
                    </select>
                </td>
                <td>
                    <select name='Subject'>
                                                
                        <option value="History">History</option>
                        <option value="Physics">Physics</option>
                        <option value="Chemistry">Chemistry</option>
                        <option value="Biology">Biology</option>
                        <option value="Civics">Civics</option>
                        <option value="Science">Science</option>
                        <option value="Economics">Economics</option>
                        <option value="Spanish">Spanish</option>
                        <option value="Latin">Latin</option>
                        <option value="French">French</option>
                        <option value="Mathematics">Mathematics</option>
                        <option value="English">English</option>
                        <option value="Film">Film</option>
                        <option value="Art">Art</option>
                        <option value="Drama">Drama</option>
                        <option value="Music">Music</option>
                        <option value="Philosophy">Philosophy</option>
                        <option value="TOK">TOK</option>
                        <option value="Mandarin">Mandarin</option>
                        <option value="Korean">Korean</option>
                        <option value="German">German</option>
                    
                    </select>
                </td>
                <td><input type=text name='FS'/></td>
                
                
            </tr>
            
        </table>
        
        <input type=submit />
        
        </form>    
        </center>
        
    </body>
    </html>
    Thanks, Eric
    Last edited by SteeringFaith; 06-01-2012 at 03:52 AM.

  • #2
    New Coder
    Join Date
    Sep 2011
    Posts
    80
    Thanks
    0
    Thanked 13 Times in 12 Posts
    On another note, I can't see anywhere where you are sanatizing data before inserting it into the query, this leaves you wide open to sql injection.

    Look into paramaterized queries or mysql_real_escape_string()


  •  

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •