Charwil Posted July 23, 2014 Share Posted July 23, 2014 Hello, I recently posted here about an issue I was having with my database orientated products page. I have now run into another problem where say if, /db.php was typed or /db.php?p=IDoNotExist was typed, it returns blank. I have in my code the desired content to be displayed, but it just doesn't seem to want to make a show. I was also wondering if it is possible to show different content for whatever the URL is, so for no parameter, the content about the products, and a non existent one, maybe "Product not found"? Here is my code: <?php $db=mysql_connect ("localhost", "webwibco_charlie", "Hello123") or die ('I cannot connect to the database because: ' . mysql_error()); $mydb=mysql_select_db("webwibco_products"); include("header.php"); $status = htmlspecialchars( @$_GET ['p'] ); if ($status == "floorpuzzles") { echo "<h1>Our Floor Puzzles</h1>"; $sql="SELECT ID, Name, Tags, Description, Category FROM products WHERE Category LIKE '%" . FloorPuzzles . "%'"; $result=mysql_query($sql); while($row=mysql_fetch_array($result)){ $Name =$row['Name']; $ID =$row['ID']; $Description =$row['Description']; echo "<div class=\"box\">"; echo "<h1>$Name</h1>"; echo "<div class=\"floorbox\"><a href=\"?p=$ID\"><img src=\"images/products/catalogue/big/floorpuzzles/$ID.jpg\" class=\"small\"></a></div>"; echo "<h2>$Description</h2>"; echo "</div>"; } ?> <? }else{ if ($status == $_GET["p"]) { $sql="SELECT ID, Name, Tags, Description, Pieces, Size, Barcode, Category FROM products WHERE ID = '" . $_GET['p'] . "'"; $result=mysql_query($sql); while($row=mysql_fetch_array($result)){ $Name =$row['Name']; $ID =$row['ID']; $Description =$row['Description']; $Pieces =$row['Pieces']; $Size =$row['Size']; $Barcode =$row['Barcode']; echo "<div class=\"1\">"; echo "<h1>$Name</h1>"; echo "<div class=\"bigbox\">"; echo "<div class=\"floorbox\"><img src=\"images/products/catalogue/big/floorpuzzles/$ID.jpg\" class=\"big\"></div>"; echo "</div>"; echo "</div>"; echo "<div class=\"2\">"; echo "<p>Puzzle Pieces: $Pieces</p> <p>Puzzle Size: $Size</p> <p>Barcode: $Barcode</p>"; echo "</div>"; } }else{ ?> <? echo"<h1>Our Products</h1> <p>Our jigsaw puzzles are hand cut by skilled craftsmen and therefore each one is unique with self-correcting pieces. There is a strict quality control process at all stages by our highly experienced staff. The puzzles are durable and provide fun and excitement, enhancing learning and a child’s development.<p> <p>All of our jigsaws are made using materials from sustainable resources grown in managed forests. Where possible we support companies in the UK and source our components locally, most of our suppliers are in the East Midlands, many in Derbyshire and Nottinghamshire. We keep packaging to a minimum and take our environmental and ethical responsibilities very seriously.</p> <p>Reducing waste and recycling was a way of life for us before it became fashionable. We are constantly searching for new ideas and consult teachers when developing our jigsaws, which are often used within the national curriculum.</p> <p>As well as making our own range, we manufacture for leading suppliers to the education market. Check for \"Made in Britain\" and it is probably made by us.</p> <p>We have a wide variety of products available for viewing, from classic floor puzzles to innovative inset trays. You can take a look at all our products on this page, simply use the navigation buttons to your left.</p>"; }} include("footer.php"); ?> The final echo is what I wish to be displayed on the URL without or with an invalid parameter. Here is my site URL: http://www.webwib.co.uk/JustJigsaws/search.php (note that only the "Floor Puzzles" category has content within it). Thank you in advance for assistance. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 24, 2014 Share Posted July 24, 2014 (edited) Turn on php error checking and do a simple test on the results of your query and you should see an error or two. Your first query statement is flawed. What is FloorPuzzles ? You have this undefined string of characters hung in the middle of your query. That won't execute. And, really? You are burying your info (data) on a product in your script instead of a db table? Really? Edited July 24, 2014 by ginerjm Quote Link to comment Share on other sites More sharing options...
Jacques1 Posted July 24, 2014 Share Posted July 24, 2014 The whole code is badly broken and really needs a major rewrite. A lot of this doesn't even make sense. The mysql_* functions are obsolete since more than 10(!) years and will be removed in one of the next PHP releases. Haven't you seen the big red warning signs in the manual? Nowadays, we use PDO. You need to start thinking about security. You can't just drop raw user input into SQL queries or your HTML document, because this allows anybody to inject malicious code and attack your server or your users. Read up on security basics like escaping and prepared statements. Don't use PHPHTML spaghetti code. Keep all your PHP application logic on top of the script and all HTML markup at the very bottom. This will also fix this backslash jungle. You set status to htmlspecialchars( @$_GET ['p'] ) and then check for $status == $_GET["p"]. Um, what? When exactly do you expect this condition to not be true? ... Whatever book or tutorial or person you've learned PHP from: Keep away from them in the future. This is (bad) 90s code. Check out the links above to learn proper and modern PHP. It also helps to read the manual to keep up-to-date (careful with examples and the comment section, though). Quote Link to comment Share on other sites More sharing options...
Charwil Posted July 24, 2014 Author Share Posted July 24, 2014 Turn on php error checking and do a simple test on the results of your query and you should see an error or two. Your first query statement is flawed. What is FloorPuzzles ? You have this undefined string of characters hung in the middle of your query. That won't execute. And, really? You are burying your info (data) on a product in your script instead of a db table? Really? FloorPuzzles is the data in the Category db row, so it looks for FloorPuzzles in that row and returns all that have it. What do you mean I've buried my data in a script? It's in a db table... The whole code is badly broken and really needs a major rewrite. A lot of this doesn't even make sense. The mysql_* functions are obsolete since more than 10(!) years and will be removed in one of the next PHP releases. Haven't you seen the big red warning signs in the manual? Nowadays, we use PDO. You need to start thinking about security. You can't just drop raw user input into SQL queries or your HTML document, because this allows anybody to inject malicious code and attack your server or your users. Read up on security basics like escaping and prepared statements. Don't use PHPHTML spaghetti code. Keep all your PHP application logic on top of the script and all HTML markup at the very bottom. This will also fix this backslash jungle. You set status to htmlspecialchars( @$_GET ['p'] ) and then check for $status == $_GET["p"]. Um, what? When exactly do you expect this condition to not be true? ... Whatever book or tutorial or person you've learned PHP from: Keep away from them in the future. This is (bad) 90s code. Check out the links above to learn proper and modern PHP. It also helps to read the manual to keep up-to-date (careful with examples and the comment section, though). Thank you I will take a look into PDO, as for security that's something I work on once everything works correctly, although their is nothing for a user to inject into as of now. I wanted it to check the status as that section is to display a single product in more detail. The link on the category list page is directed to the product's ID, so the check for will return as for example "123456" and will set that query to work for that ID, then later on it uses it again to check for the ID in the database, and return that. I managed to achieve what I wanted to in this thread last night excluding the invalid parameter, which I guess is a flaw with what I said above, I think that's what you were trying to get at now. Thanks for the advice. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted July 24, 2014 Share Posted July 24, 2014 FloorPuzzles is undefined. It is nothing but an error waiting to be revealed when you turn on php error checking. Whatever do you think it is? It is NOT a php variable. It is not a constant. It is not a string. It is a set of ascii characters that mean nothing to the php interpreter and therefore will show you an error message. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.