|
|
Posted by Dave on 06/04/05 02:44
Greg (greg@basssax.com) decided we needed to hear...
> I have a page that searches a database by a repairman's name and by a
> date range. It pulls info by the repairman's name but pulls all info in
> the database regardless of the date. Below is the code of the two
> pages. What am I missing?
<snip>
I've noted a few problems below - there may be more but I only gave it
a fairly quick look.
Lack of indentation makes your code hard to read, and all those
multi-line echo with all the HTML make matters worse IMO.
Your queries look like they are valid, but without seeing the table
definition, and samples of your input, its tough to guess why all dates
and not those you expect are returned.
> <?php
> $search = $_REQUEST['name'];
> $from = $_REQUEST['from'];
> $to = $_REQUEST['to];
You don't validate any of the above vars. What happens if someone
enters invalid dates or other nonesense instead of dates? What
happens if from date comes after to date?
> if($search) // perform search only if a string was entered.
It is best to use isset on your $_REQUEST variables, *then* validate
and use their contents.
You use $_REQUEST which gives both GET and POST variables, but your
form is set to POST. You should really be using $_POST.
> {
> mysql_connect("192.168.1.8","root","passwordhere");
> mysql_select_db("repair"); //database name
> $srch = "%".$search."%";
> $query = "SELECT * FROM repair WHERE repairman LIKE '$srch' AND
> daterepaired BETWEEN '$from' AND '$to'";
from and to are not validated to it would be easy for someone to
delete your data via SQL-injection.
> $total = "SELECT SUM(price) as price FROM repair WHERE repairman LIKE
> '$srch' AND daterepaired BETWEEN '$from' AND '$to'";
> $result = mysql_db_query("repair", $query) or die("MySQL error
> #".mysql_errno().":".mysql_error());
You've already selected the repair database above, so you might as
well use mysql_query() instead.
> $addtotal = mysql_db_query("repair", $total) or die("MySQL error
> #".mysql_errno().":".mysql_error());
> if ($result)
Consider testing mysql_num_rows(). You've already determined that the
query worked (it dies on error), so you may as well proceed based on
number of rows returned.
> {
> echo "<font face='Tahoma' size=2><P><CENTER><IMG SRC='images/MCLogo.jpg
> WIDTH='576' HEIGHT='87' NATURALSIZEFLAG='0'
> ALIGN='BOTTOM'></CENTER></P></font>
> <br>
> <br>
> echo "<table border=0 cellpadding=3 cellspacing=5>
<snip some code>
> <td width=10><font size=2 color=#FFFF00
> face=tahomo><b>M&R</b></font></td>
> </tr>;
There is a " missing in the line above.
>
> while ($r = mysql_fetch_array($result)) {//Begin while
<snip some code>
> <?
> include("footer.php";
There is a ) missing above. Did you copy/paste or retype this code? It
won't run at all in its present form.
> ?>
<snip>
--
Dave <dave@REMOVEbundook.com>
(Remove REMOVE for email address)
Navigation:
[Reply to this message]
|