|
|
Posted by Erwin Moller on 11/03/59 11:32
Wendy Hoovens wrote:
Hi Wendy,
I putted a few suggestion between your lines.
> Hello everybody!
>
> I'n new to PHP, did an Access course, but this is quite new. I'm not
> planning todo alot of programming in the future but I like to finish
> things, so here I go :)
>
> From another script i took the date code to put this in a variable for
> the select statement.
>
> Unfortuneatly it does'nt give me the result, a row with the amount of
> magazines per location.
>
> After some googling this has probably something todo with fetch_rows but
> I can't figure it out myself :(
>
> Thannks alot for the advice and sorry for my bad English :)
>
> Greetings, Wendy
You must be dutch too. :P
>
> <HTML>
> <HEAD><TITLE>Overzicht films</TITLE></HEAD>
> <BODY>
> <h1 align=center>Overzicht</h1>
> <?
> require ('connect.inc');
> ?>
>
> <form method=post>
While this is fine, I always put the action in too.
<FORM action="somescript.php" Method="POST">
(I am unsure if leaving the action out will always default to the same
script, or just on your browser. )
> Begindatum:
> <select name=dag1>
> <?
> $i=0;
> while ($i<31){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select>
> <select name=maand1>
> <?
> $i=0;
> while ($i<12){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select>
> <select name=jaar1>
> <?
> $i=2004;
> while ($i<2007){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select><br>
>
> Einddatum
> <select name=dag2>
> <?
> $i=0;
> while ($i<31){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select>
> <select name=maand2>
> <?
> $i=0;
> while ($i<12){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select>
> <select name=jaar2>
> <?
> $i=2004;
> while ($i<2007){
> $i++;
> echo "<option value=$i>$i</option>";
> }
> ?>
> </select>
> <input type=submit value=opvragen>
> <input type=hidden value=1 name=opgevraagd>
> </form>
>
> <?
>
> $start="$_POST[jaar1]"."-"."$_POST[maand1]"."-"."$_POST[dag1]";
> $eind="$_POST[jaar2]"."-"."$_POST[maand2]"."-"."$_POST[dag2]";
Ok, this is bad.
While it is fine while learning how PHP works, you have a possible target
for the bad guys.
It is called SQL-injection, and boils down to this:
The bad guy posts something completely different then you expect, so your
$_POST["jaar1"] contains no number, but a piece of SQL that will eg,
destroy a table, or give rights to a certain user, etc.
It is too complicated to explain here, but this is safer:
If you expect numbers, eplicitely cast it to integer.
$start= (int)$_POST["jaar1"];
$start.="-";
$start= (int)$_POST["maand1"];
$start.="-";
$start= (int)$_POST["dag1"];
It is safer because if $_POST["jaar1"] contains something else than a
number, it will be cast to a number, and you might get a notice (error).
If you expect strings, make sure they are safe for your database by using
addslashes for example. (Read on at www.php.net if you need more
information. Search for SQL injection)
> ?>
> <hr>
> <?
> $result = mysql_query("SELECT location, COUNT(type) FROM bib WHERE type
> =\"magazine\" AND datum>=\"$start\" AND datum<=\"$eind\" GROUP BY
> locatie");
Shouldn't that be 'location' instead of 'locatie' ?
Also, if you do it like above you will never see where you made the mistake.
Simply change to this:
$SQL = "SELECT location, COUNT(type) FROM bib WHERE ";
$SQL.= "((type='magazine') AND ";
$SQL.= "(datum>='$start' AND ";
$SQL.= "(datum<='$eind')) GROUP BY location";
Before executing, just echo your $SQL:
echo $SQL;
Simple as that, now you see the SQL you are going to execute and can see the
errors right away, like the fact you mixed the words location and locatie.
Copy the SQL and try to execute it straight away against the database, using
a commandline tool or something. (Depends on your database).
ALWAYS just check the SQL when you are uncertain.
Then try: mysql_query($SQL);
> echo "$result";
That doesn't make sense.
The $result contains a complex structured array, called a 'resource', that
might contain all the rows if the query was succesfull, besides possible
other stuff. You cannot just echo it.
Try this instead:
<pre>
<? print_r($result); ?>
</pre>
Now you get a dump of the $result.
If you want to use the $result to display things that your query returned,
loop over the resultset.
Read on here on how and what and many examples too:
http://nl3.php.net/manual/en/function.mysql-query.php
Good luck.
Regards,
Erwin Moller
Navigation:
[Reply to this message]
|