| combobox [message #177312] |
Wed, 07 March 2012 21:15  |
ecu_jon
Messages: 3
Registered: March 2012
Karma: 0
|
Junior Member |
|
|
i am trying to make a combo box, choose from a list or type in new. i
lifted code from another page i did that had the drop-down list, and
tried to add it to several text boxes. it is not pushing the choice
choosen from the drop-down on to the nextpage/sql. frustraded, i
didn't do much more then copy pasta from the other page, just massaged
it a little to fit in, just does not work. have excluded the fluff
html surrounding this, just imagine basic html,head,body tags.
<?php
$host="localhost"; // Host name
$username="name"; // Mysql username
$password="pword"; // Mysql password
$db_name="name"; // Database name
$tbl_name="othername"; // Table name
mysql_connect("$host", "$username", "$password")or die("cannot
connect");
mysql_select_db("$db_name")or die("cannot select DB");
$result = mysql_query("SELECT DISTINCT client FROM client ORDER BY
client ASC") or die(mysql_error());
echo '<form action="./page5.php" method="post"><pre>';
echo 'Client ';
echo '<select name="option">';
while($row= mysql_fetch_array($result)){
echo "<option value=\"$row[client]\">$row[client]</option>\n";}
mysql_close();
echo '</select>';
echo '<input type="text" maxlength="70" name="Client"><br />';
echo 'Site <input type="text" maxlength="70"
name="Site"><br />';
echo 'First,Last Name <input type="text" maxlength="20"
name="Uname"><br />';
echo 'User ID <input type="text" maxlength="20"
name="Uid"><br />';
echo 'Password <input type="text" maxlength="20"
name="Password"><br />';
echo 'Status <input type="text" maxlength="20"
name="Status"><br />';
echo '<input type="submit" value="submit" name="submit"><br />';
echo '</pre></form>';
if(isset($_POST['Client'])) $Client = $_POST['Client'];
if(isset($_POST["Site"])) $Site = $_POST["Site"];
if(isset($_POST["Uname"])) $Uname = $_POST["Uname"];
if(isset($_POST["Uid"])) $Uid = $_POST["Uid"];
if(isset($_POST["Password"])) $Password = $_POST["Password"];
?>
|
|
|
|
| Re: combobox [message #177313 is a reply to message #177312] |
Thu, 08 March 2012 06:28  |
Scott Johnson
Messages: 196
Registered: January 2012
Karma: 0
|
Senior Member |
|
|
On 3/7/2012 1:15 PM, ecu_jon wrote:
> i am trying to make a combo box, choose from a list or type in new. i
> lifted code from another page i did that had the drop-down list, and
> tried to add it to several text boxes. it is not pushing the choice
> choosen from the drop-down on to the nextpage/sql. frustraded, i
> didn't do much more then copy pasta from the other page, just massaged
> it a little to fit in, just does not work. have excluded the fluff
> html surrounding this, just imagine basic html,head,body tags.
>
> <?php
>
> $host="localhost"; // Host name
> $username="name"; // Mysql username
> $password="pword"; // Mysql password
> $db_name="name"; // Database name
> $tbl_name="othername"; // Table name
> mysql_connect("$host", "$username", "$password")or die("cannot
> connect");
> mysql_select_db("$db_name")or die("cannot select DB");
> $result = mysql_query("SELECT DISTINCT client FROM client ORDER BY
> client ASC") or die(mysql_error());
> echo '<form action="./page5.php" method="post"><pre>';
> echo 'Client ';
> echo '<select name="option">';
> while($row= mysql_fetch_array($result)){
> echo "<option value=\"$row[client]\">$row[client]</option>\n";}
> mysql_close();
> echo '</select>';
> echo '<input type="text" maxlength="70" name="Client"><br />';
> echo 'Site<input type="text" maxlength="70"
> name="Site"><br />';
> echo 'First,Last Name<input type="text" maxlength="20"
> name="Uname"><br />';
> echo 'User ID<input type="text" maxlength="20"
> name="Uid"><br />';
> echo 'Password<input type="text" maxlength="20"
> name="Password"><br />';
> echo 'Status<input type="text" maxlength="20"
> name="Status"><br />';
> echo '<input type="submit" value="submit" name="submit"><br />';
> echo '</pre></form>';
> if(isset($_POST['Client'])) $Client = $_POST['Client'];
> if(isset($_POST["Site"])) $Site = $_POST["Site"];
> if(isset($_POST["Uname"])) $Uname = $_POST["Uname"];
> if(isset($_POST["Uid"])) $Uid = $_POST["Uid"];
> if(isset($_POST["Password"])) $Password = $_POST["Password"];
> ?>
It would be nice if you could at least put some effort and clean up this
code so it is a bit more readable since you are asking others to
decipher it.
So I will work backwards.
What code is on page5?
What do you get on page5 if you add
print_r($_POST);
|
|
|
|
| Re: combobox [message #177314 is a reply to message #177313] |
Thu, 08 March 2012 13:27 |
ecu_jon
Messages: 3
Registered: March 2012
Karma: 0
|
Junior Member |
|
|
here is page5
there is the first 6 lines that set up stuff to connect to db.
the 4 if isset's get the Post variables from inputpage(above)
then the mysql insert into db command.
and it looks like it mangled the longer lines. the sql statement will
probably come out weird.
<html>
<head>
<link rel="stylesheet" type="text/css" href="mystyle.css" />
<?php
$Status = $_POST["Status"];
$host="localhost"; // Host name
$username="user"; // Mysql username
$password="password"; // Mysql password
$db_name="name"; // Database name
$tbl_name="name"; // Table name
mysql_connect("$host", "$username", "$password")or die("cannot
connect"); //sql connection to db
mysql_select_db("$db_name")or die("cannot select DB"); //select db sql
command
if(isset($_POST['Client'])) $Client = $_POST['Client']; //check if
value from POST, sev variable to value
if(isset($_POST["Site"])) $Site = $_POST["Site"];
if(isset($_POST["Uname"])) $Uname = $_POST["Uname"];
if(isset($_POST["Uid"])) $Uid = $_POST["Uid"];
if(isset($_POST["Password"])) $Password = $_POST["Password"];
mysql_query("INSERT INTO client
(client, site, user, userid, password, status) VALUES('$Client',
'$Site', '$Uname', '$Uid', '$Password', '$Status') ")
or die(mysql_error()); //insert above variables into db
echo "user added".$Client;
mysql_close();
?>
<br><br>
<a href="./login_success.php">Back Home</a>
</body>
</html>
|
|
|
|
| Re: combobox [message #177315 is a reply to message #177314] |
Thu, 08 March 2012 13:58 |
Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/8/2012 8:27 AM, ecu_jon wrote:
> here is page5
> there is the first 6 lines that set up stuff to connect to db.
> the 4 if isset's get the Post variables from inputpage(above)
> then the mysql insert into db command.
> and it looks like it mangled the longer lines. the sql statement will
> probably come out weird.
> <html>
> <head>
> <link rel="stylesheet" type="text/css" href="mystyle.css" />
> <?php
> $Status = $_POST["Status"];
> $host="localhost"; // Host name
> $username="user"; // Mysql username
> $password="password"; // Mysql password
> $db_name="name"; // Database name
> $tbl_name="name"; // Table name
> mysql_connect("$host", "$username", "$password")or die("cannot
> connect"); //sql connection to db
> mysql_select_db("$db_name")or die("cannot select DB"); //select db sql
> command
> if(isset($_POST['Client'])) $Client = $_POST['Client']; //check if
> value from POST, sev variable to value
> if(isset($_POST["Site"])) $Site = $_POST["Site"];
> if(isset($_POST["Uname"])) $Uname = $_POST["Uname"];
> if(isset($_POST["Uid"])) $Uid = $_POST["Uid"];
> if(isset($_POST["Password"])) $Password = $_POST["Password"];
> mysql_query("INSERT INTO client
> (client, site, user, userid, password, status) VALUES('$Client',
> '$Site', '$Uname', '$Uid', '$Password', '$Status') ")
> or die(mysql_error()); //insert above variables into db
> echo "user added".$Client;
> mysql_close();
> ?>
> <br><br>
> <a href="./login_success.php">Back Home</a>
> </body>
> </html>
>
What a mess.
First of all, as Scott indicated, if you want help, make the effort to
clean up your code. This may mean you actually have to do something
other than cut and paste - that is, you might have to actually put a
little effort into formatting your test.
Also, you never posted the contents of the $_POST superglobal like Scott
asked.
As to your problems. First of all, don't use "or die('message')" in
production code. This will send invalid HTML to the browser (i.e. it
terminates all output in the middle of the page). If the query fails,
handle it gracefully (and perhaps log the error so you can see what
happened later).
Your select box has a name of "option", but you are never referring to
that item on your second page. That's why you're not getting anything.
You're checking to see if $_POST('Client') is set, which is good. But
what happens if it's not set (the same for the rest of your values)?
You're still going to try to insert the data into the database, which
will result in an invalid SQL statement.
Also, try to insert the name "O'Casey". It will fail. ALL strings used
in SQL statements need to be processed by mysql_real_escape_string().
That's a place for you to start, anyway.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
|
|
|
|
| Re: combobox [message #177316 is a reply to message #177314] |
Thu, 08 March 2012 14:21 |
ecu_jon
Messages: 3
Registered: March 2012
Karma: 0
|
Junior Member |
|
|
i got it to work. thanks for forcing me to look again at what was
getting POST 'ed on page5. once i saw the values were not exactly what
i though, i could figure it out. i made the drop-down part of the box
a new variable, and added an option for creating a new(using the
textbox). then on page5 did a if drop-down != first option, set
variable to Client. Just below
if(isset($_POST['Client'])) $Client = $_POST['Client']; so it would
overwrite the Client variable.
did some testing, if i choose something else in drop-down nothing in
textbox, it does as expected.
if i choose first value and write in text box it adds new, as
expected.
and if you do both pick from drop-down (not first value) and write in
text it chooses the drop-down value to write to db.
now if we could just get a real combo-box option somehow ...
|
|
|
|
| Re: combobox [message #177320 is a reply to message #177316] |
Fri, 09 March 2012 10:06 |
Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
On 3/8/2012 3:21 PM, ecu_jon wrote:
> i got it to work. thanks for forcing me to look again at what was
> getting POST 'ed on page5. once i saw the values were not exactly what
> i though, i could figure it out. i made the drop-down part of the box
> a new variable, and added an option for creating a new(using the
> textbox). then on page5 did a if drop-down != first option, set
> variable to Client. Just below
> if(isset($_POST['Client'])) $Client = $_POST['Client']; so it would
> overwrite the Client variable.
> did some testing, if i choose something else in drop-down nothing in
> textbox, it does as expected.
> if i choose first value and write in text box it adds new, as
> expected.
> and if you do both pick from drop-down (not first value) and write in
> text it chooses the drop-down value to write to db.
>
> now if we could just get a real combo-box option somehow ...
Please reread Jerry's warning.
You said nothing about avoiding SQL-injection.
If the code stays the same, you have just opened a security hole.
SQL-injection primer:
======== WRONG ===========
$firstname = $_POST["firstname"];
$favcolor = $_POST["favcolor"];
$SQL = "INSERT INTO tblprefs (firstname,color) VALUES ";
$SQL .= "('"& $firstname &"','"& $favcolor &"');";
some_db_execute ($SQL);
No, if $_POST["firstname"] contains something nice like "Joe" (without
the ") and $favcolor contains "blue" you'll get the following SQL:
INSERT INTO tblprefs (firstname,color) VALUES ('Joe','blue');
Which is fine. So if you test with Joe and blue you won't notice any
problems.
Now to SQL injection:
Suppose a funny guy posts the following:
$_POST["firstname"] contains: Joe
and
$_POST["favcolor"] contains:
ha!'); DELETE FROM tblprefs; INSERT INTO tblprefs (firstname,color)
VALUES ('Hacked by','whitehat
Now you SQL becomes:
INSERT INTO tblprefs (firstname,color) VALUES ('Joe','ha!');
DELETE FROM tblprefs;
INSERT INTO tblprefs (firstname,color) VALUES ('Hacked by','whitehat');
You don't want that SQL to execute, do you?
And all
Solution: ESCAPE YOUR STRINGS!
All databases offer functions for this.
Regards,
Erwin Moller
--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]