homepage Welcome to WebmasterWorld Guest from 54.198.224.121
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Accredited PayPal World Seller

Home / Forums Index / Code, Content, and Presentation / Databases
Forum Library, Charter, Moderators: physics

Databases Forum

    
checkbox form, php, and mysql code will kill me for sure
checkboxes php mysql forms
Battleship40




msg:4339455
 12:37 pm on Jul 14, 2011 (gmt 0)

I have been struggling with a plant search form for days...FYI: I am a beginner with PHP and mySQL database management. I am trying to pull data from mySQL database using a form with checkboxes and it is failing on me miserably. I just want whatever someone checks to pull from the database and display on an html page.

Here's the form:

<form name="form2" method="post" action="mSearch2.php">
<input type="hidden" name="check_submit" value="1" />
<h3 align="center">Light</h3>
<div align="center">
<input type="checkbox" name="light[]" value="Full Sun" checked="checked" /> Full Sun

<input type="checkbox" name="light[]" value="Part Sun Shade" /> Part Sun Shade
<input type="submit" name="Submit" value="GO" style="font-family: Arial; font-size: 13pt; color: #000000" />
</div>
</form>


Here's the first mSearch2.php file:


<?php
$host = "";
$user = "";
$pass = "";
$dbname = "";

$connection = mysql_connect($host,$user,$pass) or die (mysql_errno().": ".mysql_error()."<BR>");
mysql_select_db($dbname);

if (isset($_POST['light'])){$query = "SELECT * FROM findplantsdb WHERE Light IN (".implode(",", array_keys($_POST['light'])).")";

$result = mysql_query($query) or die (mysql_error());
$num_of_rows = mysql_num_rows($result);

if ($num_of_rows > 0)
{
// put while loop and all output here
}
else
{
echo "No results found";
}
while($row = mysql_fetch_assoc($result))
{
echo "<a href='categories.php?pullname=". $row['Name']. "'>".stripslashes(htmlspecialchars($row['Name'])).'</a><br />';

}
}
?>


And finally, here is the categories.php file to turn what I pull into links:


<?php
// Make a MySQL Connection
mysql_connect("", "", "") or die(mysql_error());
mysql_select_db("") or die(mysql_error());

$query= "select * from findplantsdb where Name='" . $_GET['pullname'] . "'";
$result= mysql_query($query);
$num_results = mysql_num_rows($result);

for ($i=0; $i <$num_results; $i++)
{
$row = mysql_fetch_array($result);

echo "<h4> ", $row['Name'], " &nbsp; ", $row['Patent'], "</h4> ",$row['Common'], "<p> Height: ", $row['Hname'], "<br> Spread: ", $row['Sname'], "<br> Color: ", $row['Color'], "<br> Light: ", $row['Light'], "<br> Zone: ", $row['Zone'], "<p> <img src=",$row['Picname'], " /> <p><p>", $row['Notes'], "<p><p> <hr width='50%' size='1' color='#A3A3A3'><p>";
}

?>


Right now - what this is doing is pulling all plant material. For this form I just need it to pull whatever the person checks. Any assistance would be greatly appreciated and might just save me from throwing myself in front of a bus.

 

LifeinAsia




msg:4339527
 3:49 pm on Jul 14, 2011 (gmt 0)

Welcome [webmasterworld.com] to webmaster World!

Some ideas I have:
1) You may have a problem with name="light[]" in the checkbox tag. Never tried using non-alphanumeric values in a name- not sure they're legal.
2) Output the $query variable and make sure it's what you are expecting it to be.
3) Does any of the data in the Name field of findplantsdb have spaces, parentheses, or other non-alphanumeric characters?
4) If this is going to be a public web site, you definitely need to do some work to prevent SQL injection. Otherwise, someone could easily delete all the data in your table by adding some SQL code to the end of the link to categories.php

Battleship40




msg:4339544
 4:28 pm on Jul 14, 2011 (gmt 0)

Thanks LifeinAsia,

for the categories.php file, is this all I need to do in order to be protected:



// Connect
$link = mysql_connect('', '', '')
OR die(mysql_error());

// Query
$query = sprintf("SELECT * FROM findplantsdb WHERE Name='" . $_GET['pullname'] . "'";
$result= mysql_real_escape_string($query),
$num_results= mysql_real_escape_string($result));


and is this the only file I need to protect?

Thank you for your help. Oh, and it is pulling data - the problem is that it is pulling ALL plant data, not just the checked item.

LifeinAsia




msg:4339555
 4:45 pm on Jul 14, 2011 (gmt 0)

$query = sprintf("SELECT * FROM findplantsdb WHERE Name='" . $_GET['pullname'] . "'";
$result= mysql_real_escape_string($query),

Seems rather weak to me... I'd rather do some sanitizing on GET['pullname'] before you build the query string.

Personally, I would reference data in findplantsdb by an INT field and use that value instead of the Name field. Then, all you need to do is verify that GET['pullname'] is an integer value- throw an error if anythign else.

Output $query to the screen- what is the value of the string?

Battleship40




msg:4339637
 7:02 pm on Jul 14, 2011 (gmt 0)

For all the plants that it listed, it said this when I did a query to screen:

SELECT * FROM findplantsdb WHERE Light IN (0)ROSA CROWD PLEASER HT


It lists ALL the plants in the db and I need it to just list the ones that coincide with the user's check (Full Sun or Part Sun Shade).

LifeinAsia




msg:4339732
 10:20 pm on Jul 14, 2011 (gmt 0)

I surprised the query even ran- that's not valid SQL syntax.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Databases
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About
© Webmaster World 1996-2014 all rights reserved