|
|
Posted by Jochem Maas on 10/04/36 11:10
Jackson Linux wrote:
> Okay, guys,
> I hope I'm getting closer with your help here but I am still highly
> confused (that's actually a general blanket statement these days).
>
> I've taken your advice and made several changes,
>
> On 9 Mar 2005, at 13:44, Jochem Maas wrote:
>
>> M. Sokolewicz wrote:
>>
>>> Jackson Linux wrote:
>>>
>>>> Hi,
>>>> This:
>>>>
>>>> if (isset($_GET['r']) &&
>>>> !empty($_GET['r']) &&
>>>> ($r = intval($_GET['r'])) ){
>>
>>
>> does nobody notice the last 'bit' of the if expression??
>> if the IF statement evaluates to true then $r _has_ been set!!!
>
>
> That makes sense now.
>
>>
>>>> $r = "{$_GET['r']}"; //Set the variable $r to mean the category number
>>>
>>> gods, that's an ugly statement... why don't you simply use $r =
>>> $_GET['r']; ????
>>
>>
>> that leaves him completely open to SQL injection.
>> but your right in that writing this:
>>
>> $r = "{$_GET['r']}";
>>
>> ... is just plain wasteful, pointless and looks ugly.
>> and given the fact that $r is already set (see above) there is
>> no need to set it again at all.
>
>
> I see that now; thanks, I removed it
>
>> I think you almost there Jackson, keep hacking :-)
>>
> Thanks for the encouragement! But there's more...
>
>>>>
>>>> $sort = "ORDER BY cv.sort";
>>>> } else {
>>>> $where = '';
>>>> $fields =
>>>> 'cv.cv_id,cv.category,dates,cv.job_title,cv.company,cv.job,cv.sort,
>>>> jobcat.category';
>>>> $sort = "ORDER BY cv.sort";
>>>> }
>>>>
>>>> //Make the sql based on the joining of the table and intersection
>>>> table
>>>> $sql = "
>>>> SELECT
>>>> cv.cv_id,cv.category,dates,cv.job_title,cv.company,cv.job,cv.sort,job
>>>> cat .category
>>>> FROM cv, cvjobcats, jobcat
>>>> WHERE cvjobcats.cv_id=cv.cv_id AND cvjobcats.jobcat_id = $r AND
>>>> jobcat.jobcat_id=cvjobcats.jobcat_id";
>>>>
>>>> Works whenever there is an ?r= specified. When there is no r
>>>> specified it chokes on
>>>>
>>>> WHERE cvjobcats.cv_id=cv.cv_id AND cvjobcats.jobcat_id = $r AND
>>>> jobcat.jobcat_id=cvjobcats.jobcat_id";
>>>>
>>>> because there's no value to $r.
>>>>
>>>> it also opens me up to allowing anyone to state *anything* after
>>>> the ?.
>>>>
>>>> So can I make an else statement which will say that if there's no
>>>> r= or a wrong r= or even no ? at all then it should print a menu
>>>> to $r's which actually exist in the database? How?
>>>>
>>>> Thanks in advance!!!
>>>
>>> You have 3 conditions in a single expression. Split that expression up
>>
>>
>> Jackson got that bit from me - I don't think he is fully aware of
>> what that
>> expression is doing!
>>
>> the 'sum' of those conditions determines that either $r is 'good' or
>> 'bad'
>> (whether $r is garbage or not set didn't seem like a difference worth
>> bothering
>> with)
>>
>
> No, I didn't and I actually still don't. I've implemented the change
> below, breaking up the if(isset)$_GET['r']) bit (making it easier to
> follow indeed, thank you!) but I am confused as to how to break that
> three-condition statement split based on that change.
>
>
>>> into multiple expressions, so you can check each (or a combination
>>> of 2) individually.
>>
>>
>> this is a good idea to better understand what is going on!
>>
>>> so, instead of:
>>> if (isset($_GET['r']) && !empty($_GET['r']) && ($r =
>>> intval($_GET['r']))){
>>> do:
>>> if (isset($_GET['r'])) {
>>> if(!empty($_GET['r']) && ($r = intval($_GET['r']))){
>>> // do whatever
>>> } else {
>>> // something boring
>>> }
>>> } else {
>>> // not set
>>> }
>>
>>
> The code below is where I am now. I'm trying to document a bit better,
> and clean it up. And I still don't have any clue as to how to make it
> redirect if someone requests no ?r= or a bad one. Can someone help
> please?
>
>
> <snip>
> if (isset($_GET['r'])) {
> if(!empty($_GET['r']) && ($r = intval($_GET['r']))){
> $fields = '*';
> $where = "WHERE cvjobcats.cv_id=cv.cv_id AND cvjobcats.jobcat_id
> = '$r' AND jobcat.jobcat_id=cvjobcats.jobcat_id";
> $sort = "ORDER BY cv.sort"; // Assemble the category items in
> r=x
> } else {
> // Is this where I'd say IF no $r is set then redirect?
> }
> }
>
all you need is 1 if (or if/else) statement, note that my example
is the logical reverse of the first if statement I posted (in reply
to your question):
if (!isset($_GET['r']) || empty($_GET['r']) || !($r = intval($_GET['r']))) {
// _GET['r'] is either not set, empty or not a positive int greater than zero.
// the required var is 'bad' so lets redirect the user.
if (!headers_sent()) {
header('location: /yourRvarsucks.php');
} else {
// you'll have to figure out what to do yourself
// if you want to redirect and headers have already been sent!
}
exit;
}
// now comes the rest of the script (build SQL, run it, output the data)
$where = "WHERE cvjobcats.cv_id=cv.cv_id
AND cvjobcats.jobcat_id = '$r'
AND jobcat.jobcat_id=cvjobcats.jobcat_id";
$sort = "ORDER BY cv.sort";
// etc etc ...
> //Make the sql based on the joining of the table and intersection table
> $sql = "
> SELECT
> cv.cv_id,cv.category,dates,cv.job_title,cv.company,cv.job,cv.sort,jobcat
> .category
> FROM cv, cvjobcats, jobcat
> $where
> $sort
> ";
>
> $result = mysql_query($sql);
> $cv = mysql_fetch_assoc($result);
> $table_of_contents = array();
> $result = mysql_query($sql);
>
>
> if (!$result) {
> echo "Could not successfully run query ($sql) from DB: " .
> mysql_error();
> exit;
> }
>
>
> if (mysql_num_rows($result) == 0) {
> echo "No rows found, nothing to print so am exiting";
> exit;
> }
> </snip>
>
> Thanks in advance!!
>
> --Jack
>
Navigation:
[Reply to this message]
|