Welcome to WebmasterWorld Guest from 54.204.74.171

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

big brother

time record system

   
7:24 pm on Nov 6, 2009 (gmt 0)

5+ Year Member



hi can someone help me please. I have a select statement that uses an inner join on two of my tables prj_name and users I then want to insert this result into a timesheet. i am using a pop-up that the user uses to select their project and a javascript calender to select the data. the prj_name is being stored and the data and time what I need to store with this data is the user_name, user_id and maybe the session details. I hope that this makes sense. here is the select statement

$query = "SELECT prj_name.prj_name,users.user_name
FROM prj_name INNER JOIN users ON users.user_id = prj_name.user_id
ORDER BY prj_name";

$result_id = mysql_query ($query);
print ("<select name=\"prj_name\">\n");
while (list ($prj_name) = mysql_fetch_row ($result_id))
{
$prj_name = htmlspecialchars ($prj_name);
print ("<option value=\"$prj_name\">$prj_name</option>\n");

}
mysql_free_result ($result_id);

function make_popup_menu ($prj_name, $values, $labels, $default)
{
if (!is_array ($values))
return ("make_popup_menu: values argument must be an array");
if (!is_array ($labels))
return ("make_popup_menu: labels argument must be an array");
if (count ($values) != count ($labels))
return ("make_popup_menu: value and label list size mismatch");
$str = "";
for ($i = 0; $i < count ($values); $i++)
{
# select the item if it corresponds to the default value
$checked = ($values[$i] == $default ? " selected=\"selected\"" : "");
$str .= sprintf (
"<option value=\"%s\"%s>%s</option>\n",
htmlspecialchars ($values[$i]),
$checked,
htmlspecialchars ($labels[$i]));
}
$str = sprintf (
"<select name=\"%s\">\n%s</select>\n",
htmlspecialchars ($name),
$str);
return ($str);
}

print ("</select>\n");
than the users hits the submit button and this is the insert statement

$sql = "INSERT INTO `workhours`.`workingtimes` (`id`, `begintime`, `endtime`, `prj_name`, `prj_id`, `employee_id`, `user_name`, `user_id`, `sess_id`) VALUES (NULL,'$_POST[begintime]',NULL,'$_POST[prj_name]','$_POST[prj_id]','$_POST[employee_id]','$_POST[user_name]',NULL,'1234')";

I would appricate any comments thanks.

8:53 pm on Nov 6, 2009 (gmt 0)

10+ Year Member




hi can someone help me please.

Having read through your post, you ask for help.. however then do not ask any questions?

Can you be more specific with the issue you are having or the help you need?

Now, moving on to your sql statement.. I would recommend you google "SQL Injection". Inserting input directly into the database without any validation and/or filtering should be avoided.

Cheers.

2:26 pm on Nov 7, 2009 (gmt 0)

5+ Year Member


hi john, thanks for the prompt reply. my problem is when I hit the submit button on my webpage the insert statement is only inserting the date and time with prj_name how do I include an inner join select statement that includes session details and user_id and prj_id. i am not familiar with injection must take a look thanks.