concrete Posted January 12, 2012 Share Posted January 12, 2012 Hi all, I am new to PHP and MySQL and I am expierencing an issue which i need help with. I am creating a pupil record system for an assignment in Uni. we have been given some sample code and we have to build onto this and finish the system. I have created an add a student page and when the student is added I want to move to the next page and then display the record that has been added (see image below) Also see code below <?php print "<H2>Thank you, <i>"; print $_POST['firstname']; print " "; print $_POST[ 'surname']; print "</i> has been sucessfully added to the system.</H2>"; print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>"; function doquery($query) { $db = "prs"; $link = mysql_connect("localhost","..........","........") or die("Could not connect to server! Error: ".mysql_error()); mysql_select_db($db,$link) or die("Could not select $db! Error: ".mysql_error()); $result = mysql_query($query,$link) or $result = "Query Error!<p>Query: $query<p>Error: ".mysql_error(); mysql_close($link); return($result); } $firstname="'".$_POST['firstname']."'"; $surname="'".$_POST['surname']."'"; $address1="'".$_POST['address1']."'"; $address2="'".$_POST['address2']."'"; $town="'".$_POST['town']."'"; $county="'".$_POST['county']."'"; $postcode="'".$_POST['postcode']."'"; $phone="'".$_POST['phone']."'"; $email="'".$_POST['email']."'"; $class_set="'".$_POST['class_set']."'"; $query = "SELECT MAX(upn) + 1 as upn FROM students"; $result = doquery($query); $row = mysql_fetch_array($result); $upn = $row['upn']; $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, $firstname, $surname, $address1, $address2, $town, $county, $postcode, $phone, $email, $class_set)"; doquery($query); echo "<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\"> <tr> <td colspan=\"2\"><h3>Recorded Added</h3></td> </tr> <tr> <td width=\"150px\" class=\"form_labels\">Student Number</td> <td width=\"300px\" class=\"table_data\">".$upn."</td> </tr> <tr> <td class=\"form_labels\">First Name</td> <td class=\"table_data\">".$firstname."</td> </tr> <tr> <td class=\"form_labels\">Surname</td> <td class=\"table_data\">".$surname."</td> </tr> <tr> <td class=\"form_labels\">Address 1</td> <td class=\"table_data\">".$address1."</td> </tr> <tr> <td class=\"form_labels\">Address 2</td> <td class=\"table_data\">".$address2."</td> </tr> <tr> <td class=\"form_labels\">Town</td> <td class=\"table_data\">".$town."</td> </tr> <tr> <td class=\"form_labels\">County</td> <td class=\"table_data\">".$county."</td> </tr> <tr> <td class=\"form_labels\">Postcode</td> <td class=\"table_data\">".$postcode."</td> </tr> <tr> <td class=\"form_labels\">Phone Number</td> <td class=\"table_data\">".$phone."</td> </tr> <tr> <td class=\"form_labels\">Email</td> <td class=\"table_data\">".$email."</td> </tr> <tr> <td class=\"form_labels\">Class</td> <td class=\"table_data\">".$class_set."</td> </tr> </table>"; ?> Quote Link to comment Share on other sites More sharing options...
litebearer Posted January 12, 2012 Share Posted January 12, 2012 and the problem/issue is? Quote Link to comment Share on other sites More sharing options...
Berre Posted January 12, 2012 Share Posted January 12, 2012 They are displayed because your variables contains them. $firstname="'".$_POST['firstname']."'"; $surname="'".$_POST['surname']."'"; $address1="'".$_POST['address1']."'"; Either you could create your variables without quotations and add them in the query string, or you could fetch your newly added record from your database and echo it. The last could also confirm that the correct values were added, because what you echo isn't what you actually added, but what you tried to add. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 12, 2012 Share Posted January 12, 2012 The single-quotes that you are putting around each of the data values are part of the SQL syntax. They should only be present inside the query statement, not as part of each of your $firstname, $surname, ... data values. Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted January 12, 2012 Share Posted January 12, 2012 Just don't apply the quotes like that. Aplly the quotes directly in the query string, that way you can echo out the variables and not have to worry about stripping the quotes off to do it. <?php print "<H2>Thank you, <i>"; print $_POST['firstname']; print " "; print $_POST[ 'surname']; print "</i> has been sucessfully added to the system.</H2>"; print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>"; function doquery($query) { $db = "prs"; $link = mysql_connect("localhost","..........","........") or die("Could not connect to server! Error: ".mysql_error()); mysql_select_db($db,$link) or die("Could not select $db! Error: ".mysql_error()); $result = mysql_query($query,$link) or $result = "Query Error!<p>Query: $query<p>Error: ".mysql_error(); mysql_close($link); return($result); } $firstname= $_POST['firstname']; $surname= $_POST['surname']; $address1= $_POST['address1']; $address2= $_POST['address2']; $town= $_POST['town']; $county= $_POST['county']; $postcode= $_POST['postcode']; $phone= $_POST['phone']; $email= $_POST['email']; $class_set= $_POST['class_set']; $query = "SELECT MAX(upn) + 1 as upn FROM students"; $result = doquery($query); $row = mysql_fetch_array($result); $upn = $row['upn']; $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, '$firstname', '$surname', '$address1', '$address2', '$town', '$county', '$postcode', '$phone', '$email', '$class_set')"; doquery($query); echo "<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\"> <tr> <td colspan=\"2\"><h3>Recorded Added</h3></td> </tr> <tr> <td width=\"150px\" class=\"form_labels\">Student Number</td> <td width=\"300px\" class=\"table_data\">".$upn."</td> </tr> <tr> <td class=\"form_labels\">First Name</td> <td class=\"table_data\">".$firstname."</td> </tr> <tr> <td class=\"form_labels\">Surname</td> <td class=\"table_data\">".$surname."</td> </tr> <tr> <td class=\"form_labels\">Address 1</td> <td class=\"table_data\">".$address1."</td> </tr> <tr> <td class=\"form_labels\">Address 2</td> <td class=\"table_data\">".$address2."</td> </tr> <tr> <td class=\"form_labels\">Town</td> <td class=\"table_data\">".$town."</td> </tr> <tr> <td class=\"form_labels\">County</td> <td class=\"table_data\">".$county."</td> </tr> <tr> <td class=\"form_labels\">Postcode</td> <td class=\"table_data\">".$postcode."</td> </tr> <tr> <td class=\"form_labels\">Phone Number</td> <td class=\"table_data\">".$phone."</td> </tr> <tr> <td class=\"form_labels\">Email</td> <td class=\"table_data\">".$email."</td> </tr> <tr> <td class=\"form_labels\">Class</td> <td class=\"table_data\">".$class_set."</td> </tr> </table>"; ?> You should also make sure that you run some sanatisation on your field values to protect the inforation in your database from attack Quote Link to comment Share on other sites More sharing options...
concrete Posted January 13, 2012 Author Share Posted January 13, 2012 Thanks guys, Muddy_Funster I must owe you a pint by now!!! Thanks again. Quote Link to comment Share on other sites More sharing options...
concrete Posted January 13, 2012 Author Share Posted January 13, 2012 Hi Muddy_Funster, I was testing the site late last night and noticed that the data is being populated into the database! Can you help!! Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 13, 2012 Share Posted January 13, 2012 I was testing the site late last night and noticed that the data is being populated into the database! So, this is solved, correct? Quote Link to comment Share on other sites More sharing options...
litebearer Posted January 13, 2012 Share Posted January 13, 2012 Can you help!! My guess is not solved - perhaps is was meant to be isn't. and !! to be ?? Quote Link to comment Share on other sites More sharing options...
Muddy_Funster Posted January 13, 2012 Share Posted January 13, 2012 change your doquery function to use an or die(mysql_error()) on the query aswell. I don't think that your current code is going to capture the error properly, and as you are already using or die() for the connection and database, and as you are returning the mysql_error to the screen regardless, it's not much odds. change that over and let us know what comes back, also, could you clear up exactly what the issue is? Quote Link to comment Share on other sites More sharing options...
concrete Posted January 16, 2012 Author Share Posted January 16, 2012 Mundy_Funster: How do I change the doquery function? Thanks Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 16, 2012 Share Posted January 16, 2012 <?php if ( !empty($_POST) ) { print "<H2>Thank you, <i>"; print $_POST['firstname']; print " "; print $_POST[ 'surname']; print "</i> has been sucessfully added to the system.</H2>"; print "<a href=\"add_student.php\"><h4>Add Another Student</h4></a>"; } function doquery($query) { $db = "prs"; $link = mysql_connect("localhost","..........","........") or die("Could not connect to server! Error: ".mysql_error()); mysql_select_db($db,$link) or die("Could not select $db! Error: ".mysql_error()); $result = mysql_query($query,$link) or die("Query Error!<p>Query: $query<p>Error: ".mysql_error()); mysql_close($link); return($result); } /* Sanitize data for mysql query using mysql_real_escape_string */ function clean($data) { $db = "prs"; $link = mysql_connect("localhost","..........","........") or die("Could not connect to server! Error: ".mysql_error()); mysql_select_db($db,$link) or die("Could not select $db! Error: ".mysql_error()); if ( is_array($data) ) { $data = array_map('mysql_real_escape_string', $data); return $data; } return mysql_real_escape_string($data); } /* extract firstname, surname, address1, address2, town, county, postcode, phone, email, class_set */ $data = clean($_POST); // sanitize postdata for query extract($data, EXTR_SKIP); // extract postdata to variable with names ${array_key} i.e. $firstname $query = "SELECT MAX(upn) + 1 as upn FROM students"; $result = doquery($query); // we only use the associative array keys so don't fetch numeric indexes $row = mysql_fetch_assoc($result); $upn = $row['upn']; $query = "INSERT INTO students (upn, firstname, surname, address1, address2, town, county, postcode, phone, email, class_set) VALUES ($upn, '$firstname', '$surname', '$address1', '$address2', '$town', '$county', '$postcode', '$phone', '$email', '$class_set')"; doquery($query); echo "<table width=\"350px\" border=\"1\" cellspacing=\"0\" cellpadding=\"5\" bordercolor=\"#de5f57\" align=\"center\"> <tr> <td colspan=\"2\"><h3>Recorded Added</h3></td> </tr> <tr> <td width=\"150px\" class=\"form_labels\">Student Number</td> <td width=\"300px\" class=\"table_data\">". stripslashes(htmlentities($upn, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">First Name</td> <td class=\"table_data\">". stripslashes(htmlentities($firstname, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Surname</td> <td class=\"table_data\">". stripslashes(htmlentities($surname, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Address 1</td> <td class=\"table_data\">". stripslashes(htmlentities($address1, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Address 2</td> <td class=\"table_data\">". stripslashes(htmlentities($address2, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Town</td> <td class=\"table_data\">". stripslashes(htmlentities($town, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">County</td> <td class=\"table_data\">". stripslashes(htmlentities($county, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Postcode</td> <td class=\"table_data\">". stripslashes(htmlentities($postcode, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Phone Number</td> <td class=\"table_data\">". stripslashes(htmlentities($phone, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Email</td> <td class=\"table_data\">". stripslashes(htmlentities($email, ENT_QUOTES)) ."</td> </tr> <tr> <td class=\"form_labels\">Class</td> <td class=\"table_data\">". stripslashes(htmlentities($class_set, ENT_QUOTES)) ."</td> </tr> </table>"; // use stripslashes to escape backslashes added from htmlentities /// use htmlentities to escape html entities (surprise, surprise lol) and prevent cross-site-scripting ?> empty array_map mysql_real_escape_string mysql_fetch_assoc extract stripslashes htmlentities Cross Site Scripting (XSS) have a read. P.S. I know I shouldn't be doing his homework, but I tried to make it easy for him to understand, so don't start bitching. Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted January 16, 2012 Share Posted January 16, 2012 You should NOT be opening and closing your database connection inside of your functions. It takes a relatively long time to open a database connection. On any page that needs a database connection, you need to open the connection once in your main program scope and leave it open until you no longer need it or more simply let php close it when the script on the page ends. If code inside your function(s) needs a specific database connection, you need to pass the connection link resource into the function as a call time parameter (so that you could, if needed, use multiple different database connections.) Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 16, 2012 Share Posted January 16, 2012 You should NOT be opening and closing your database connection inside of your functions. It takes a relatively long time to open a database connection. On any page that needs a database connection, you need to open the connection once in your main program scope and leave it open until you no longer need it or more simply let php close it when the script on the page ends. If code inside your function(s) needs a specific database connection, you need to pass the connection link resource into the function as a call time parameter (so that you could, if needed, use multiple different database connections.) Wouldn't have done it that way myself, was just conforming to his programming style, don't even know if it was necessary to be honest, as it would use the last opened connection, and, although it was opened in a different scope, I don't think that would have mattered since I didn't pass the resource to mysql_real_escape would it? Although I suppose if he sanitized data before calling doquery, it would be. Also, if I wanted to be pedantic, I would have said to use echo instead of print as it's supposedly marginally faster due to the fact that it outputs an error on failure, whereas echo doesn't and I've never seen either one fail in 6 years of programming. Quote Link to comment Share on other sites More sharing options...
concrete Posted January 16, 2012 Author Share Posted January 16, 2012 Thanks everyone for all your help! Cheers Andy-H, thanks for all you help but, my tutor gave us part of this script and we have to stick to that. I would love to insert your code but I would be dock marks for doing so. I figured out my error and all is good in my world until i hit the next php wall! Quote Link to comment Share on other sites More sharing options...
Andy-H Posted January 16, 2012 Share Posted January 16, 2012 Good luck, if your tutor codes like that; you're gonna need it lol Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.