Php not displaying properly
Hi,
I am trying to retrieve some data from a mySQL database using php, and I am having issues displaying the details.
The page for selecting the correct entry is:
<?php
$dbcnx = @mysql_connect('localhost', 'uname', 'pword');
if(!$dbcnx) {
exit('<p>Unable to connect to the database server at this time</p>');
}
if (!@mysql_select_db('neus_KHT')) {
exit('<p>Unable to locate the database at this time</p>');
}
$names = @mysql_query('SELECT id, name FROM ppagestbl');
if(!$names) {
exit('<p>Unable to locate the list from the database at this time</p>');
}
?>
<form action="ppages.php" method="post">
<label>Name of Volunteer/Event:</label>
<select name="id" size="1">
<option selected value="">Choose Volunteer</option>
<?php
while ($name = mysql_fetch_array($names)) {
$vid = $name['id'];
$vname = htmlspecialchars($name['name']);
echo "<option value='$vid'>$vname</option>\n";
}
?>and the code for the button is
<?php
$dbcnx = @mysql_connect('localhost', 'uname', 'pwd');
if(!$dbcnx) {
exit('<p>Unable to connect to the server at this time</p>');
}
if ((!@mysql_select('ppagestbl')) && (!@mysql_select('donationstbl'))) {
exit('<p>Unable to connect to the databases at this time</p>');
}
//select command
$vid = $_POST['vid'];
$select = "SELECT name, subtitle";
$from = " FROM ppagestbl";
$where = " WHERE id='$vid'";
echo "$vid";
$information = @mysql_query($select . $from . $where);
$name = htmlspecialchars($information['name']);
$sub = htmlspecialchars($information['subtitle']);
echo "$vid";
echo "Test";
echo "$name";
echo "$sub";
?>However, despite the selction list displaying the options correctly, the information I try to get is then not displayed on the next page. Any ideas on where it is going wrong?
thanks
Paul
Shaggy posted this at 18:04 — 12th February 2009.
They have: 121 posts
Joined: Dec 2008
$information is a pointer to a result set, it isn't the results yet.
You'll need to:
$row = mysql_fetch_assoc($information);
Then you can:
echo $row['name'];
etc.
Also, it'd be a great idea to validate and escape $_POST['vid'] string to avoid SQL injection vulnerabilities.
Cheers,
Shaggy
kht posted this at 14:45 — 13th February 2009.
They have: 8 posts
Joined: Jan 2009
Thanks for the help Shaggy, although it seems to not be working still.
Also, could you further explain what you meant by:
I am very new to php, i.e. this is the first thing I have ever written in it.
Thanks for your help
Paul
pr0gr4mm3r posted this at 15:19 — 13th February 2009.
He has: 1,502 posts
Joined: Sep 2006
One of the ways to escape the data is to use the mysql_real_escape_string() function. The PHP manual page for that function does explain SQL injection a bit and practices to protect against it.
kht posted this at 16:22 — 13th February 2009.
They have: 8 posts
Joined: Jan 2009
Hey I have managed to get it all working, thanks for the help, it turns out there was an error in my SQL code, although by basically rewriting it I have lost a few lines of code, and I will also look into the escape string fucntion, thanks for your help guys!!
Paul
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.